Okay to begun, me and a friend are looking into building a few of these embedded router/gateway/firewall devices, mainly because most of the consumer level routers don't provide us with the level of control that we want over our routing, plus we're also doing this for fun, as a learning/educational project. And so far we've done excessive amount of researching and searching for suitable products but we're not certain what would best fit our needs/requirement for a such device so...
Anyway here's a list of minimum requirement that are strongly wanted to be meet for the embedded device.
- It needs to be able to sustain at minimum 10 Mbps throughput from WAN to LAN on the router with the following below features included, however the faster it is the better, but at minimum 10 Mbps.
- At minimum 2 ports, but more ports are welcomed, one port for WAN, one port for LAN, then if a product has more than 2 port such as 3+, the 3rd one would probably be used for DMZ, and/or separate subnet for certain types of devices, but its not required to have more than 2 ports.
- Firewall ruleset of approximately 50 to maybe 150 rules, plus hopefully connection tracking for helping speed up the firewall processing, in other word, the initial packet probably will have to go though a lots of rules, but then hopefully it'll be added into an connection tracking table and future packet could take a shortcut though connection tracking. (Probably Iptables or pf filter)
- QoS scheduling/queuing for priority traffic that require low latency connection such as ssh, probably will have approximately 3-5 queues for such items such as: bulk traffic (torrents/large downloads), latency sensive traffic (Ssh, video relay, VoIP), and others, its also used to ensure all device/computers on the network gets a fair share the network connection, aka webpages/e-mail/etc are pirorized over bulk traffic such as torrents.
- Masquerading/NAT, including a few port forwarding to a few device/computer on the network, this will be for approximately 10+ computer and/or devices, such as WAP, console games, video relay device, VoIP devices.
- DNS Masquerading, to speed up most of the most commonly used dns queries to make the network appear faster to the users.
- Static DHCP IP address, based on mac address, plus a separate subnet of dynamic assigned IP address for wireless devices on the WAP accesspoint.
- Low powered, preferably 25 watt or under, but if necessary to implement all of the above features and the optional features, willing to accept up to 50 watt or so.
- Most of the traffic will be mainly web browsering, e-mails, IM from majority of the computer, but there will be one computer doing very light to moderate torrenting, as in 5ish or so torrents running, also there will be console games playing games online, and also there is the Video relay and/or VoIP.
Now these features below would be nice to have, but its not mandatory, if its not possible to do in an embedded device or low powered device, I and my friend probably can offload most of these to an second computer on the DMZ that is dedicated to processing those kind of stuff, aka a server.
- Hopefully implement some form of port knocking to open up a port to allow ssh to connect to this router or/and VPN of some form, maybe IPsec, or what so not to connect to this router, or be forwarded to an DMZ server on the LAN.
- Would be nice to be able to do packet logging with it forwarding the logs to a log server, possible a bit of packet sniffing and IDS, but that probably would be too much for a low powered embedded processor, so maybe forwarding those packets to an DMZ server on the LAN for IDS processing and what so not.
- Want to see if its possible to break up the network into several subnet, such as 192.168.1.* for computers, then 192.168.2.* for console games, then other subnet for DMZ, WAP and so forth.
- Also it would be nice to be able to support at least one encrypted VPN link from outside world, linking to the private LAN, or an encrypted VPN from the wireless for more security. If its too much for a embedded system to handle, it could maybe unloaded to an encryption accelerator, or an DMZ computer on the LAN that is generated/sustainable for that kind of work.
Anyway before we decided to post on this newsgroup me and my roommate did a lots of researching, but we can't really find any good benchmark and what so not which will explain how much memory, how much processing power it would take to do the above requirement/wants. But anyway we're also not clear on the difference on CPU speed/Archinure. We've heard that an AMD geode 266 MHz processor would be equivalent to 100 MHz Pentium processor, and that an 1 GHz VIA Nehemiah would be equivalent to 400-500 MHz Pentium processor. But were not sure how accurate these comparison are, plus we found a few products using ARM Archinure, and MIPS Archinure which were also not sure how they compare up to the competitions.
But anyway without additional ados here's a few products that we have been looking at and considering.
- VIA mini-itx with one motherboard Ethernet and maybe a Ethernet card to supply 1 or 2 more Ethernet ports. Advange of these platform is it has relatively strong processor and some of the later VIA CPU has encryption accelerator inside the CPU itself. But however they also have ton of excess and un-needed crap on them, such as mpeg accelerator, VGA ports, sound cards and so forth, so were not sure how much excess power draw will be wasted on these items which we won't even use. (Approx 500 MHz to 1.5 GHz VIA processors available) - formatting link
- Next one we've considered is an processor based off the Intel xscale processor which as far as we know is an ARM processor, and were not sure how good the support are for these, but this processor we found is approximately 533 MHz, and the board itself is attractive, but one negative is the flash is soldered onto the board... would prefer a solution with removable compact flash. Also were not sure how a 500 MHz xscale processor would stack up vs the competitions. - formatting link
- Another product is the soekris board, which has an 266 AMD geode processor, and it certainly looks like an attractive board, but just how powerful is the processor, and can it support the demands that we want to place on it, also I've heard that hardware encryption that soekris offer aren't that great, as in the producer of the hfin chipset has closed their document and there is currently an pretty severe bug in the code that probably won't get fixed due to hfin closing their document. - formatting link
- An competitor product to the soekris board are the WRAP board, which seems mostly similar in many forms to the soekris boards - formatting link
- Another option we are considering is maybe an mini-itx motherboard that supports the Pentium mobile processor, then we can stick in an ultra low volt Pentium mobile processor, but that solution probably will consume more power, as in 50 watt and up. - formatting link
- Another AMD geode processor, this one at 1.4 GHz, but we're not sure how much power it would consume and if it would be suitable for our application - formatting link
- Then a firewall product based off a 400 MHz Cceleron based off i believe the Pentium mobile Arnchiure, but we're not familiar with the company and if they're reliable, plus how much power would it draw, but this one looks nice also. - formatting link
- Similar to the above one - formatting link
- Then we found an embedded board using an 400 MHz MIPS 32 4Kc CPU, but how powerful is this CPU, we don't have any clue how MIPS and ARM compare to the other offering, so no real way to determinate how powerful this product is - formatting link
If wanted and/or needed we can provide more products links, but anyway I guess what we are looking for is a good guideline on minimum memory requirement, and minimum processor speed to be able to at least do most of the items listed in the required list, and it would also be nice to get an idea of how much processing power would be required to do almost everything in the above list.