If you're the average user who's happy with your basic wireless router or is possibly looking to upgrade your aging N-router or...*gasp*...G-router with a shiny new AC-router, building your own router is probably not the road you want to venture down. If, however, you have the need for multiple network segments, want the added functionality of enterprise-class routers without the high cost of commercial offerings, or just have the hankering for a fun and challenging project that will vastly increase your tech skillz, building your own router is definitely for you.
There are a ton of guides out there showing you how to turn an old PC into a router using SmoothWall which is a fine option if you're on an extremely tight budget. This article, however, will focus on showing you the ultimate versatility a self-built, compact, low-power router can provide rather than being a step-by-step How-To Guide. This solution is perfect for someone who doesn't have the budget for high-end solutions, but whose needs have outgrown the basic off-the-shelf appliances.
Intimidated? Don't be.
These are just plans for my treehouse.
- 1. The Hardware
- 2. Method 1: Routers Should Just Route Man
- 3. Method 2: I Want It All
- 4. What About Wireless?
I recently undertook this project myself as my previous router build was starting to show its age. I was running an Asus Eee PC with a couple USB-to-Ethernet dongles thrown in to create additional network segments. While this was fine for my first-time home build, it's not something I would ever suggest or build for one of my clients. So, I set off on my journey to find a PC with multiple built-in ethernet ports in a compact, preferably fanless, case. While there weren't a ton of options available, I did run across a company that seemed to focus all of their products on this exact market. That company is Jetway.
If you've been around the tech industry for a few years, i.e. are old, you may remember a company named Shuttle. Shuttle manufactured barebone PC's in a compact case about the size of a toaster oven. All you needed to do was drop in your own CPU, memory & hard drive and you had this awesome little LAN Box you could show off to all your friends. Jetway has taken this concept and improved on it. They make PC's with embedded CPU's in an even smaller fanless case and focus their designs on different industries that have the need for these compact little miracles. Luckily, one of their focuses is the self-built router market.
You can find a lot of Jetway's products on Amazon, but one of the best places to shop for Jetway is MITXPC. They actually sell through Amazon as well, but you may find better deals buying directly from their website. After browsing their site, you may feel overwhelmed by the multitude of offerings, but for the purposes of this project, I'll focus on models that have 4 to 5 Gigabit ethernet ports. Why so many? Well, most routers you buy already offer 5 ethernet ports as a standard, 1 WAN and 4 LAN. You may be tempted to save some money with a Dual-Port offering, but a Multi-Port model will give you the flexibility to build in future network segments like a Guest or VOIP LAN or maybe even a Dual-WAN configuration to provide failover and load-balancing. You can even bridge together your unused ports and have them act as a makeshift Gigabit switch. Starting to see what I mean by ultimate versatility?
Even after narrowing our search, there's still a bit of decision making to do --namely, what CPU should I get or more to the point, is this CPU fast enough for me? If you're looking to build a router that just...uh...routes, you can get away with the cheapest CPU available including the Intel Atom. Atom, you say? Aren't those the cheapo CPU's they put in Netbooks and such. That is correct, but have you ever thought about the types of CPU's they run in your average router. Yup, even your wireless routers have CPU's and you better believe companies aren't stocking them with Core i7's. In reality, it doesn't take much CPU horsepower to operate a router, however if you're looking to build in an IPS (Intrusion Prevention System), provide connectivity to a ton of VPN users or even double your router as a web or file server, you're probably going to want something a little higher up the food chain. I myself went with a 5-Port Jetway sporting a Quad-Core Celeron N2930. While this CPU is by no means a beast, it has been serving as my multi-segment home VPN router with a 200Mbps/20Mbps WAN link, IPS and web server for the past 6 months and I've never run into any bottlenecks. In fact, this box is currently serving up the web page you're reading right now. I know security experts would probably berate me for hosting a public site on the same machine that functions as my router/firewall, but this site is way too small for me to go with an externally hosted solution and I do take every measure I can to ensure the security of my machine. To all my readers though, yea, they have a point, don't do it. Ok, back to the hardware.
Some of the offerings from MITXPC already come with 2GB of RAM installed. Since my router was going to double as a server, I opted to swap out the single 2GB SODIMM for 2x 4GB Kingston HyperX 1600Mhz SODIMM's. This is the same type of memory you'll find in most laptops so feel free to shop around for the best priced memory and go with that. If you intend for this build to function solely as a router, 2GB of memory is more than enough.
The only thing you'll definitely need to purchase for your Jetway, is storage. All Jetway's fit standard 2.5" drives, a.k.a. Laptop drives so any 2.5" drive will do for a standard router build, but if you want your machine to have that added speed boost, you can opt for an SSD. To be clear, this speed boost only pertains to read/write functions and will not increase the speed of your Internet connection at all so don't blow your entire budget on the fastest SSD on the market. I went with the solid, but affordable Samsung 850 EVO 120GB SSD which was on sale at the time. I would check for deals before purchasing as your storage needs may vary greatly from mine. To be honest, I could've gotten away with a much smaller SSD, but this allows me room for growth.
The Jetway I chose also came with an mSATA slot so if you were so inclined, you could pop in an mSATA drive as well, but until prices start coming down, it just isn't worth the cost. Some models also include support for Compact Flash memory which could potentially save you even more money at the cost of some performance. Compact Flash is perfectly fine for a standard router build and up to a couple years ago was the staple storage device for most enterprise class routers, however, I would still recommend a 2.5" drive for anything more demanding.
Sample Router Builds
|Budget Router||Multi-Function Router|
|Jetway 4-Port w/Intel Atom||Jetway 5-Port w/Intel Celeron|
|PC||Jetway JBC373F38W-525||$249.94||PC||Jetway JBC200F9N-E4IN-B||$309.89|
|CPU||Intel Atom 1.8Ghz Dual-Core w/HT||-||CPU||Intel Celeron 2.16Ghz Quad-Core||-|
|Ports||4x Realtek RTL8111EVL GigE||-||Ports||1x Intel i211AT & 4x Intel 82574L GigE||-|
|RAM||Hynix 2GB DDR3 1333Mhz SODIMM||$9.00||RAM||2x Kingston HyperX 4GB 1600Mhz||$46.99|
|Storage||Sandisk Ultra 16GB Compact Flash||$17.95||Storage||Sandisk Ultra II 120GB SSD||$55.99|
|Total Cost: $276.89||Total Cost: $412.87|
This is a cost breakdown of a couple different router builds to give you an idea of what kind of an investment you'll be making. As you can see, there's a significant price difference when compared to your average SOHO router, but this is no average router. Remember, we are building a machine that will have many of the capabilities of an enterprise class router at a fraction of the price. To give you some perspective, the Cisco ASA 5506H-X which is an entry-level router, costs about $2100 not counting all of the additional licenses you'll need to purchase to unlock many of the features we can implement for free. But how do we turn this tiny PC into a bad-ass, do anything router? Well to do that, you'll first need to decide whether you want this machine to function solely as a router or if you want the added functionality of a server as well. If you want to take the faster, streamlined approach to your router build stick with Method 1. If you have the need for a more versatile and challenging build, skip to Method 2.
If you're content with building a router that will destroy any off-the-shelf offering and that will rival a lot of enterprise solutions without the need for all the extra server functionality, I suggest you give pfSense a look. If you never heard of pfSense, think of DD-WRT for PC's or a more versatile Smoothwall. pfSense is a free, extremely lightweight OS based on FreeBSD that allows you to setup a router in minutes. While the initial installation may be a little scary for those who've never installed UNIX or Linux before, once the fear subsides and enter has been pressed a few times, you'll be presented with a familiar Web-based GUI to configure your new router to your hearts content. If you need more guidance on the initial setup and configuration, you'll find a ton of sites on the net to help you out like this one, pfSense Install Guide.
The beauty of pfSense is that because it's based on FreeBSD, there are a lot of community supported packages that add to the already lengthy list of features pfSense provides.
Here's a list of a few features pfSense offers right out of the box.
- Client & MultiSite Setups
- Support for Multiple Protocols
- Failover & Load Balancing
- Multi-WAN Support
- QOS/Traffic Shaping
- Stateful Firewall w/Granular Control
- Reporting & Monitoring
- Captive Portal (Hotspot)
If you want to avoid the fun of building your own router, you can even purchase hardware directly from pfSense preloaded with their software. While their prices are within reason, you'll definitely save money by undertaking this build yourself. Heck, that's pretty much the point of this article.
If installing an OS and playing with a Web-Gui isn't enough of a challenge for you or if you have your heart set on building the most versatile router on the planet continue read on.
So you want it all. Who doesn't? Well be prepared because setting up an all-in-one router/firewall/server is not easy and for the most part there's no pretty GUI to hold your hand unless you count ncurses. So what is the magical OS that will unlock all of this for you? Linux, of course. Some may argue that Windows and OS X are more than capable of providing these functions as well, but both of these OS's use up a lot more resources than a stripped down, lean and mean Linux server. More importantly, Linux is free.
My distro of choice has evolved over the years, but my latest go to is Ubuntu. In reality, almost any Linux distro would be suitable for this build, but Ubuntu is arguably the most widely used which makes it a lot easier to find support for any issue you may run into. If you decide you want to give Ubuntu a try, make sure to download the Server version and not the Desktop. We want to install only the bare minimum of packages to keep our Router as fast and secure as possible.
As stated at the beginning of this article, this won't be a step-by-step How-To, but I will provide a list of software to get you going once you have you've chosen your OS. Luckily, there are a lot of guides on the net to help you through each install.
Router & Firewall
Shorewall - Most distro's already come with IPTables installed which is Linux's default stateful firewall. IPTables can provide just about everything we need from a routing and firewall standpoint, but if you've ever tried to configure IPTables by hand, you'll soon find yourself abandoning this project and binge watching Netflix instead. Shorewall, while not a replacement for IPTables, is a package that helps you to more easily configure IPTables through the use of handy little text files. While the learning curve is still big, it's definitely a lot easier than writing your own rulesets by hand.
OpenVPN - Probably the most well-known Open-source VPN software, it's also the foundation of a lot of commercial VPN solutions. Like most of the installs in this article, not easy the first time around, but because of it's popularity there is a lot of online help. I use OpenVPN as a strictly Road-Warrior solution to secure my laptop's traffic when I'm away from home. For a permanent, always-on VPN connection I turn to the next product.
Tinc - You've probably never heard of Tinc before, but it's actually been around since 1998. I only stumbled upon it a few months ago when looking for the best Site-to-Site VPN solution. The reason I fell in love with Tinc is because of it's multi-site VPN capabilities. If you've ever installed multiple Wireless Access Points in one location, you may be familiar with the term Mesh network. A Mesh network allows AP's to intelligently route traffic back using other AP's as their bridge. If one AP goes down, it will automatically reroute traffic following a different path of AP's. Tinc does the same thing but with VPN's. Instead of following the traditional methodology of having one central location where all other sites connect to, it uses a mesh network to provide more flexibility and fault tolerance. If one location goes down, it can automatically reroute traffic through another site with minimal downtime. Impressed?
ntopng - There are plethora of monitoring apps for Linux, but if you want one that provides real-time and archival graphs that you configure based on different criteria all in a pretty little WebGUI, ntopng is probably for you. While it does come in free and paid versions, the free version should be all you need for your stand-alone router. If you need to collect data from multiple routers or devices, then you'll need to pony up some dough.
IDS/IPS (Intrusion Detection/Prevention System)
Snort - To be honest, I haven't used Snort in a view years, but they are still the go to product if you want to implement a Linux based IDS/IPS. Believe it or not, Cisco actually uses Snort in their products so you can be sure that development of Snort will continue through the years. Sadly though, it looks like they now charge an annual subscription fee for ruleset updates. I believe you can still get free updates that are 30 days or older, but that doesn't help you when the latest worm hits the net. If I find a totally free solution that's comparable to Snort, I'll update this post.
OpenSSH & Samba - If you've built your router with a little extra disk space and would like to store some files or backups on it, OpenSSH provides a quick and easy way to securely transfer those files. If however you have the need to connect Windows machines and don't want to deal with installing an SSH/SFTP client, you can install Samba. Keep in mind though that Samba traffic is not encrypted by default so if you're concerned with security, which you probably should be, you'll need to invest some time in securing Samba or just suck it up and use Filezilla to SFTP your files. Trust me, it's a lot easier.
Apache - I'm not sure what the exact numbers are, but Apache is still the most widely used Web Hosting platform with NGINX challenging for the crown. I still use Apache as I'm pretty familiar with it and haven't had the time to look into NGINX yet. Again, not a simple install, but there are a lot of guides available. Out of all the functions on this list, this is probably the most controversial due to all of the web exploits that can potentially compromise your router. If you decide to live dangerously like me, make sure you run daily updates and restrict access as much as possible. Use SSL if your site requires a login or has sensitive data, even if all you can afford is a self-signed cert. There are numerous ways to harden Apache from attack and mitigate risk, but that's a topic for another time.
This list is just a few examples of the many functions your router can shoulder. Linux, in and of itself, has unlimited potential and possibilities. Just remember to always keep stability and security in mind when making these choices as this machine will most likely be your primary, if not sole, pipeline to the internet.
What About Wireless?
You may be asking yourself, "How can this be the ultimate do-anything router when it doesn't even have wireless?" Well, you have a couple options when it comes to implementing wireless with your router.
Option 1: Recycle your Wireless Router
For most of you who already have a wireless router, you can save yourself some money by recycling that router into a wireless access point. Just login to your router's WebGUI, disable routing and assign the LAN interface an IP on your local network. Then just plug a cable from one of the LAN ports on your wireless router, now turned access point, to the internal interface on your newly built router and you now have wireless. Not only does this allow you wireless access, but it also gives you 3 extra Gigabit ports to use internally. Wireless and a 3-Port Gigabit switch for money already spent is a pretty good option. If you wanted to get even fancier, you could install DD-WRT on your router and reconfigure your WAN port as a LAN port and you now have 4 additional Gigabit ports. Open Source is all about stretching every last penny.
Option 2: Mini PCIe To The Rescue
If you opt for the Jetway JBC373F38W-52 in the Budget build example, it already comes with a Mini-PCIe 802.11 B/G/N card installed with a little antenna to boot. While this will provide you basic wireless connectivity, I wouldn't expect excellent range or throughput with this Single-Band/Tiny Antenna combo. You could always invest in a larger antenna to boost your signal, but at that point I would probably invest in a separate Wireless AP.
The Jetway JBC200F9N-E4IN-B in the sample Multi-Function build unfortunately doesn't come with a Mini-PCIe WiFi card. While you could purchase one separately, I wouldn't suggest it. The case this Jetway comes in doesn't provide any cutouts for an external antenna so all antennas would be confined to the inside of the router which leads to weak signals. I was informed by MITXPC's sales staff that what I initially though was a cutout for a wireless antenna is actually a cutout for a DC-input on other models. I guess you could jerry-rig something with that hole, but it's not something I've tried myself.
I guess my do anything router does have a shortcoming after all, but if you do your research you'll find that every enterprise class router on the market lacks wireless functionality. It's probably due to security concerns as well as them wanting you to spend extra cash on a separate wireless infrastructure. In any case, you may have some tough decisions if wireless is a priority, but my advice is to go with a separate wireless router to fill that need. You can even opt for a used one on Ebay, if your budget is tight. There's a lot of people ditching their old routers for an AC-class one so you might even be able to land one for free.
Hope this article at the very least piqued your interest in building your own router. Even if this solution doesn't make sense for you financially, it's still a great weekend tech project to try out if you got some spare hardware laying around. Til' next time folks.