Micro Router Project: New Software Router/Firewall

As I mentioned in my last Trail Log, I started researching a move to a software firewall/router, running on one of my new HP MicroServers. I ended up in a place I didn’t even know existed when the trip started. So which did I choose and why?

Tile announcing ClearOSAs I mentioned in my last Trail Log, I started researching a move to a software firewall/router, running on one of my new HP MicroServers. I ended up in a place I didn’t even know existed when the trip started.

I came up with a list of 11 possible software packages I could try. Basically I went to DistroWatch.com and searched for security and firewall distributions, of which there about two dozen.

Pretty much everything would have more features than my current SysWan hardware router. So I was primarily interested in multi-wan support (load balancing & failover) and ease of use. It also had to run on the HP MicroServer.

My hardware for this is:

  • HP MicroServer, currently $280 but watch for sales & rebates. I picked mine up for $255.
  • 8 GB of ECC RAM (Kingstom Part #KVR1333D3E9SK2/8G) . This is overkill for all the applications tested. I had originally considered running this as a XenServer virtual server so sized the memory for that. My final choice benefits from this so I’ll keep it and its $120 cost. Other options would have been fine with the stock 1 GB while other may have benefited from a second 1 GB stick. [Updated 6/5: I swapped the 8GB of RAM for 2GB so now the server runs on 2 GB]
  • In all cases the included 160 GB HDD was sufficient for the software I looked at but I ended up with two 160 GB and two 1 TB HDD for reasons I’ll explain later. The drives came from my parts shelf (or in the MicroServer) and I wouldn’t have added drives if I didn’t already have them.
  • Low-Profile dual port NIC (StarTech ST1000SPEXDP)  along with a Intel NIC from the parts bin were added to the on-board NIC to give me 4 ports and max out the expansion slots. The dual port Gigabit NIC was $105 while the Intel NIC runs about $25 but came from the spare parts bin. As a side note, that StarTech dual port nic was recognized by XenServer without needing additional drivers.

So the hardware ran about $500 [update 6/5: No longer using the 8 GB RAM so about $400]. This is about twice the cost of my existing hardware router but I ended up with gobs more features. And it’s certainly more interesting than a metal box with blinking lights. I could have cut costs by cutting back memory and sticking to 3 network ports but decided I wanted the flexibility.

Software Reviewed

Let’s be clear – when I say I “reviewed” the software it means I installed it, connected it to my DSL connection and looked around the interface. This was less than an hour per app. I figured if it took longer than an hour it failed my ease of use requirement. The software I reviewed (or at least tried to) was:

Astaro – I couldn’t install this on the XenServer in my first attempt and since I wasn’t overly impressed with what I read I didn’t try again when I switched to bare metal. While free, Astaro does have a license with limitations around it and was just purchased by Sophos.

pfSense – This (or its mOnOwall parent) was actually my expected choice going into this. Version 2 is in Release Candidate state but I could never get my AT&T DSL to work with it. So I tested and looked at version 1.2.3 which is the latest stable release. It’s lite weight and fast so it would easily run on less hardware than I was using. The interface wasn’t overly complicated but it wasn’t  intuitive either  and took some research and getting used to, but the more I played around with it the more I liked it.

Untangle – This is a much heavier application that requires more resources. It has a nice web GUI, which comes at the expense of heavy Java use. The software does require registration but the free subscription level has a good set of features. You can buy higher level subscriptions or order feature a-la-carte. As a home user I thought the prices were high. Some of the features I wanted (load-balancing & failover) required an additional subscription cost.

For more information on pfSense and Untangle visit HomeServerShow.com and search the website or forums. There’s posts and discussions about Geek-Accountant’s “Super Router” that uses both pfSense and Untangle and started me off on this router quest.

After the above three I looked at what ultimately became my choice and I liked it at first sight so I blew through the remaining software and nothing caught my eye as being better for me than even pfSense or Untangle.

So, my choice was…

ClearOS

I hadn’t even heard of ClearOS until I searched DistroWatch. In looking at their website I made a mental note that it was like Astaro in that it was a free version of a commercial product and kind of dismissed it (that mental note was wrong).  Then coincidentally this week’s FLOSS Weekly podcast was about ClearOS. Even after the podcast I was still skeptical and had low expectations, but it was enough to get me to install it.

In addition to typical router, firewall and threat management functions, it can also function as a file, print, web & database server. I installed all the modules but have only enabled a few. The screenshot below shows the available modules with the running ones identified.

ClearOS Service Listing

I am using the 15-day free trial for some of the add-ons that require payment. But overall I find the free level of service reasonable for a home user, and the costs for the add-on services realistic for a business that needs them. They were less expensive than comparable add-ons for Untangle.

I’m still trying to figure out the whole relationship between the Clear Foundation and ClearCenter but in my simplistic view ClearOS is a pretty robust Linux distro controlled by a commercial entity and targeted to businesses. That commercial entity survives with their own business model of selling add-on services. Those services are sold through ClearCenter.

The current version of ClearOS is based upon CentOS 5.2. In my review on potential server OS’s I mentioned there was some grumblings in the CentOS community. Well, for whatever reason ClearOS has decided that the next version of ClearOS will be based upon RHEL and not CentOS. Since CentOS is based upon RHEL anyway this isn’t too much of a change for end-users like me but does cut out the middle-man.

There’s also a lot of good information on the ClearOS’s websites and they have a pretty active forum with good info. I did find the ClearFoundation/ClearCenter pillars a bit confusing and annoying at times but there’s good info there.

I’m always hesitant to trust “next version” promises and I did pick ClearOS for what it does today. But I looked at their Roadmap and two features I would want are slated for the next release: Kaspersky Antivirus Integration and Google Apps Integration.

Why I Picked ClearOS

To be honest, a big reason is that I went into it with low expectations and was pleasantly surprised to see it is really a nice distribution. Who doesn’t like a come from behind finish?  Plus there’s just a lot to play around with.

It’s also a full fledged server similar to Microsoft Small Business Server. It’s targeted to business rather than home (although a home edition is on their roadmap for a unspecified future version). As I said in the beginning, any of these solutions will be better than my current hardware.

The interface is a little quirky but it’s generally well laid out and easy to use. I like that there’s a context sensitive help button on each page that opens the suitable online help page in a new browser tab.

While free is good and I like free, I also like to support products I like and use if for no other reason than to help them stick around. Their business model makes it realistic for me to do that. If this lives up to my new & improved expectations I could see spending the $100/yr for the lowest paid subscription to get both those benefits and support the product. Or I may wait for Kaspersky to show up and go a-la-carte. Of course, this all depends on how well it works, how much I use it, and how much I’d miss it if it went away.

The Hardware

I went with 4 NIC ports although I could get by with 3. I have one for DSL, one for Cable and one for the local LAN. The fourth dates back to when I considered running XenServer and would have used it for management. I’ve left it as it gives me the flexibility to add a test segment, wireless guest network or DMZ. For a simple home network you’d only need one WAN and one local port.

I’m using the motherboard RAID for this install. The two 160GB drives are mirrored and the two 1 TB drives are mirrored. So far it’s worked well. I should point out that Untangle couldn’t install the Grub boot loaded when I tried it’s install on the mirror. It was fine when I removed the mirror. It may have been unrelated coincidence.

The services I’m using now could easily live on the 160 GB drive mirror, but the additional space will allow me to try out the web server and other services.

It’s only been a day, but performance on the HP MicroServer has been fine.

Power Consumption

The server pulls 48 to 51 watts during typical usage, putting it at the top of the list of power consumption on my MicroServers. Guess those NICs and drives add up.

The hardware router it replace pulled 6 watts so there is a 8x increase in power usage which is a negative aspect of this project.

Summary

ClearOS does require a subscription to get updates and it includes some additional services. I’ve only been running it about a day so I’ll hold off any review.

The free subscription does include Dynamic DNS so it’s nice to get that free although I’ve yet to use it. Seems similar to the service HP (and others) offer with Windows Home Server in that it adds a subdomain to a domain Clear provides. You can also register your own domain through ClearCenter and use that. There’s no price list but I started the registration process and was told it would be $25. This is expensive for domain registration (although not the most expensive) but more reasonable when you consider it includes Dynamic DNS which can cost more than $25 from other places.

Overall I’m happy with the capabilities and ease of use with ClearOS. I seriously considered Untangle due to it’s ability to integrate Kaspersky Antivirus (but at $108/yr). ClearCenter does offer their own AV subscription for $50/yr but they are unclear who creates/tests the virus defs so there’s no way to assess quality or reliability.

Now it’s time to just let it sit there and do it’s thing. I’ve swung from low expectations to now really liking it. I’m hoping the pendulum doesn’t swing back the other way.

Anybody else using ClearOS or a similar product”?