Building a Low Power Firewall

For a number of years now I have used my old desktop computers to act as firewalls for my home network – when my desktop is upgraded the old firewall is freecycled and the old desktop becomes the new firewall.

A powerful desktop computer in a large tower case has a number of disadvantages however, both in terms of it’s physical size and the amount of power it needs to run on a 24/7 basis. So I have been meaning for some time to replace my firewall with a small, purpose built, low power system.

In the last few weeks I have finally got around to going ahead with this task so, after some hours perusing the hardware porn at LinITX I ordered an Intel D945GSEJT Atom based Mini-ITX motherboard and the exceedingly tiny Mini-Box M350 case. Here we see the result, with a 2Gb SODIMM and a 4Gb SATA flash module added.

Firewall with motherboard, memory, SATA flash module and WIFI aerials installed

Firewall with motherboard, memory, SATA flash module and WIFI aerials installed

Also visible here are a pair of dual frequency (2.4/5.0 GHz) aerials for WiFi as the firewall will also be replacing my existing wireless access point. An extra hole had to be drilled in the back plate for the second aerial, which necessitated a trip round the corner to the hardware store as sod’s law dictated that a 6.5mm hole was needed when the largest HSS bit in my collection was 6mm in size…

Part of my LinITX order was an Intel 512AN Mini-PCIe wireless card – this was carefully chosen based on the fact that Intel WiFi cards are well supported in the linux kernel with modern, mac80211 based drivers. Unfortunately as soon as I started investigating how to configure it as an access point it quickly became clear that the drivers for the Intel WiFi cards do not, in fact, support AP mode. The main authors of the drivers appear to be Intel themselves, and there seems to be little enthusiasm for supporting AP mode.

So that card went back (distance selling regulations to the rescue!) and in it’s place I sourced an Atheros card instead, which was easier said than done – Mini-PCIe wireless cards are surprisingly hard things to find, perhaps because they mainly sell to laptop manufacturers on a wholesale basis. I also had to wait a full week for Royal Mail to manage to deliver it (a first class recorded package) and that was before they went on strike!

While I was waiting for the replacement wireless card to arrive I was able to install the PCI riser (which had arrived a few days late having been missed when my order was packed) and a gigabit network card harvested from my old firewall which would provide the second network port needed in the firewall.

Firewall with PCI riser and second Gb network card installed

Firewall with PCI riser and gigabit network card installed

Finally, the replacement wireless card arrived and was installed in the Mini-PCIe slot (under the PCI card) and the aerials connected. All that was then needed was to knock up a configuration file for hostapd and it was up and running as an AP and the radio on my old Netgear access point could be turned off.

The only outstanding issue is that while my laptop (running linux) is quite happy to talk to the new AP my Windows Mobile 5 PDA seems to object to it for some reason that is still not entirely clear – it appears to successfully attach to the wireless network and sends DHCP requests but seems to be unable to receive (or perhaps to decrypt) the replies.

The completed firewall, all ready to be installed in it's new home

The completed firewall, all ready to be installed

So, after all that, my new firewall/access point is now installed in my network and, within a few hours of offering my old firewall on freecycle about a dozen different people had offered to take it (despite it lacking any operating system) and it now has a new home.

14 Comments

  1. Hey Tom, Duncan here. Nice little project. I was thinking about building one of these using a Gumstix board. Was quite an expensive solution though so I’m still waiting to find a cheap one on ebay…

  2. I have access to a D945GCLF2D motherboard with an Atom 330 on board. However, it has a PCI slot and not mini PCIe slot. My question is if I should use a usb 2.0 ethernet adapter or a PCI adapter. It seems to me the USB 2.0 can operate around 400 mb/s but the PCI at only 133 mb/s.

    Any advice? Should I keep looking until I can find the D945GSEJT that the author is using?

  3. Great, thank you. In that case the PCI card should not choke things much, if at all. It seems a Gigabit is about 125 MBytes and the PCI card at 66Mhz should be able to handle this. I do not need the bandwidth currently but one should consider the future (my oldest son is 5 and will soon be demanding resources!).

    Hopefully, I can order this package and have it running shortly.

    • Well 802.11n won’t go to a gigabit anyway, so if you’re using it for a wireless card then even with 802.11n the maximum theoretical bitrate is 600Mbit/s and practically it will be less than that. Which means even a 32 bit, 33MHz PCI card should be able to handle it.

  4. Thomas,

    Can you tell me if you’re able get your WPEA-110N operating on bother 802.11n and 802.11g simultaneously using hostapd?

    I’m building a similar type setup and my goal is to be able to provide 5Ghz 802.11n as well as 2.4ghz 802.11b/g (Similar to how an Apple Airport Extreme/Time Capsule works).

        • This is the iw list output:

          Wiphy phy2
          	Band 1:
          		Capabilities: 0x104e
          			HT20/HT40
          			SM Power Save disabled
          			RX HT40 SGI
          			No RX STBC
          			Max AMSDU length: 7935 bytes
          			DSSS/CCK HT40
          		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
          		Minimum RX AMPDU time spacing: 8 usec (0x06)
          		HT TX/RX MCS rate indexes supported: 0-15
          		Frequencies:
          			* 2412 MHz [1] (20.0 dBm)
          			* 2417 MHz [2] (20.0 dBm)
          			* 2422 MHz [3] (20.0 dBm)
          			* 2427 MHz [4] (20.0 dBm)
          			* 2432 MHz [5] (20.0 dBm)
          			* 2437 MHz [6] (20.0 dBm)
          			* 2442 MHz [7] (20.0 dBm)
          			* 2447 MHz [8] (20.0 dBm)
          			* 2452 MHz [9] (20.0 dBm)
          			* 2457 MHz [10] (20.0 dBm)
          			* 2462 MHz [11] (20.0 dBm)
          			* 2467 MHz [12] (20.0 dBm)
          			* 2472 MHz [13] (20.0 dBm)
          			* 2484 MHz [14] (disabled)
          		Bitrates (non-HT):
          			* 1.0 Mbps
          			* 2.0 Mbps (short preamble supported)
          			* 5.5 Mbps (short preamble supported)
          			* 11.0 Mbps (short preamble supported)
          			* 6.0 Mbps
          			* 9.0 Mbps
          			* 12.0 Mbps
          			* 18.0 Mbps
          			* 24.0 Mbps
          			* 36.0 Mbps
          			* 48.0 Mbps
          			* 54.0 Mbps
          	Band 2:
          		Capabilities: 0x104e
          			HT20/HT40
          			SM Power Save disabled
          			RX HT40 SGI
          			No RX STBC
          			Max AMSDU length: 7935 bytes
          			DSSS/CCK HT40
          		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
          		Minimum RX AMPDU time spacing: 8 usec (0x06)
          		HT TX/RX MCS rate indexes supported: 0-15
          		Frequencies:
          			* 5180 MHz [36] (20.0 dBm)
          			* 5200 MHz [40] (20.0 dBm)
          			* 5220 MHz [44] (20.0 dBm)
          			* 5240 MHz [48] (20.0 dBm)
          			* 5260 MHz [52] (20.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5280 MHz [56] (20.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5300 MHz [60] (20.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5320 MHz [64] (20.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5500 MHz [100] (27.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5520 MHz [104] (27.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5540 MHz [108] (27.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5560 MHz [112] (27.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5580 MHz [116] (27.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5600 MHz [120] (27.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5620 MHz [124] (27.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5640 MHz [128] (27.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5660 MHz [132] (27.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5680 MHz [136] (27.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5700 MHz [140] (27.0 dBm) (passive scanning, no IBSS, radar detection)
          			* 5745 MHz [149] (disabled)
          			* 5765 MHz [153] (disabled)
          			* 5785 MHz [157] (disabled)
          			* 5805 MHz [161] (disabled)
          			* 5825 MHz [165] (disabled)
          		Bitrates (non-HT):
          			* 6.0 Mbps
          			* 9.0 Mbps
          			* 12.0 Mbps
          			* 18.0 Mbps
          			* 24.0 Mbps
          			* 36.0 Mbps
          			* 48.0 Mbps
          			* 54.0 Mbps
          	max # scan SSIDs: 4
          	Supported interface modes:
          		 * IBSS
          		 * managed
          		 * AP
          		 * AP/VLAN
          		 * monitor
          		 * mesh point
          	Supported commands:
          		 * new_interface
          		 * set_interface
          		 * new_key
          		 * new_beacon
          		 * new_station
          		 * new_mpath
          		 * set_mesh_params
          		 * set_bss
          		 * authenticate
          		 * associate
          		 * deauthenticate
          		 * disassociate
          		 * join_ibss
          		 * set_wiphy_netns
          		 * connect
          		 * disconnect
          

Leave a Reply