Building a Low Power Firewall
For a number of years now I have used my old desktop computers to act as firewalls for my home network - when my desktop is upgraded the old firewall is freecycled and the old desktop becomes the new firewall.
A powerful desktop computer in a large tower case has a number of disadvantages however, both in terms of it’s physical size and the amount of power it needs to run on a 24/7 basis. So I have been meaning for some time to replace my firewall with a small, purpose built, low power system.
In the last few weeks I have finally got around to going ahead with this task so, after some hours perusing the hardware porn at LinITX I ordered an Intel D945GSEJT Atom based Mini-ITX motherboard and the exceedingly tiny Mini-Box M350 case. Here we see the result, with a 2Gb SODIMM and a 4Gb SATA flash module added.
Also visible here are a pair of dual frequency (2.4/5.0 GHz) aerials for WiFi as the firewall will also be replacing my existing wireless access point. An extra hole had to be drilled in the back plate for the second aerial, which necessitated a trip round the corner to the hardware store as sod’s law dictated that a 6.5mm hole was needed when the largest HSS bit in my collection was 6mm in size…
Part of my LinITX order was an Intel 512AN Mini-PCIe wireless card - this was carefully chosen based on the fact that Intel WiFi cards are well supported in the linux kernel with modern, mac80211 based drivers. Unfortunately as soon as I started investigating how to configure it as an access point it quickly became clear that the drivers for the Intel WiFi cards do not, in fact, support AP mode. The main authors of the drivers appear to be Intel themselves, and there seems to be little enthusiasm for supporting AP mode.
So that card went back (distance selling regulations to the rescue!) and in it’s place I sourced an Atheros card instead, which was easier said than done - Mini-PCIe wireless cards are surprisingly hard things to find, perhaps because they mainly sell to laptop manufacturers on a wholesale basis. I also had to wait a full week for Royal Mail to manage to deliver it (a first class recorded package) and that was before they went on strike!
While I was waiting for the replacement wireless card to arrive I was able to install the PCI riser (which had arrived a few days late having been missed when my order was packed) and a gigabit network card harvested from my old firewall which would provide the second network port needed in the firewall.
Finally, the replacement wireless card arrived and was installed in the Mini-PCIe slot (under the PCI card) and the aerials connected. All that was then needed was to knock up a configuration file for hostapd and it was up and running as an AP and the radio on my old Netgear access point could be turned off.
The only outstanding issue is that while my laptop (running linux) is quite happy to talk to the new AP my Windows Mobile 5 PDA seems to object to it for some reason that is still not entirely clear - it appears to successfully attach to the wireless network and sends DHCP requests but seems to be unable to receive (or perhaps to decrypt) the replies.
So, after all that, my new firewall/access point is now installed in my network and, within a few hours of offering my old firewall on freecycle about a dozen different people had offered to take it (despite it lacking any operating system) and it now has a new home.
