More on little firewalls (by alaric)
Ok, I've picked up two Soekris net4801s. Lovely little boxes!
Installing OpenBSD on them via PXE was trivial. One interesting point was that I was running them from a 6v power supply, since the thing requires from 6 to about 28 volts. Presuming this to mean there's a linear regulator within generating a 5v line, I ran it from 6v to reduce the losses in the linear reg.
Anyway, all was well, until the box started to refuse to reboot. I was puzzled for a while, then I increased the voltage on my (cheap, unregulated) power supply unit. At first I thought my cheap little power brick was probably undervolting, but when all power to the area went down (including the streetlights on the A127!), it occured to me that perhaps the mains power might have been a little under 240v anyway 🙂
I got two of them, one for the original transparent firewalling application, and another to play with that I've decided to use to replace my current home LAN router - a 486 desktop machine running NetBSD. I'm using Ethernet bridging to make it appear like a three-port Ethernet switch linking the DSL router, my DMZ network, and my internal network; the internal machines use a private IP range, while the DMZ network machines have both private IP and public IP addresses; the Soekris box acts as a packet-filtering transparent firewall between the three LANs, while also being a NAT router between the private IP range and a public IP address.
This all works fine, except that if a DMZ machine tries to talk to the internal IP address of the router (which runs a DNS server), the response comes back from the external IP of the router, and with a different source port, so isn't recognised by the DMZ machine as being a valid reply. I've worked around it by getting the DMZ machines to use the router's external IP as their DNS server, and telling the router to allow access to the DNS server via the external IP only from the DMZ, and moving more interface-dependent services like DHCP and broadcast NTP off of the router to a DMZ machine.