Its kind of late, but heres some info in case your still looking into this:
I used to run, as my main gateway, and now just as a wireless gateway into my network, a WRT54G v3 (newest revision) with an SD card soldered in to the GPIO pins, running OpenWRT. I used shorewall to set everything up, and aside from the long loading times for shorewall, which is really only run on a startup and after a long rule change session, it worked great.
To avoid taking so long to run shorewall and update your rules, I've been told, note that I've not actually tried this, there are a few things you can do:
-For quicker startup time, simply save your iptables rules, and restore them on boot using iptables-recover as opposed to shorewall start.
-For quciker iptables rules generation, run shorewall in an emulator on another machine that simulates all the correct network interfaces (ie vlan0, vlan1, eth0, eth1), and do iptables-save in it to get your ruleset.
Lately I went back to using one of my old Dell 500mhz PCs as a gateway. It has one nic connected to the Telus modem, one to my backbone switch, and one to my wireless gateway. It also has an extra one for connecting to a seperate VLAN on my backbone switch, which it uses to access the switches admin page (security reasons - don't want to telnet over main network). The WRT54G also has a seperate VLAN with a seperate IP addy that SSH and other admin tools run on, and its connected to the admin VLAN on the switch, to allow me to get into it without going over the main network.
The one thing I would greatly recommend though is using a PC with a hard drive. Use a live CD if you like, and reformat the hard drive on every boot (for a gateway PC shouldn't be more often than once or twice a month, so no worries on disks wearing out), although it will be slower than having it on the HD. The reason I have an HD is mainly for my caching services.
I run named in a caching nameserver, as the majority of the sites I go to, never change their IP addys. So for most sites, it stores the IPs all day, and updates them at night. If I need to bypass, I just do a dig from one of the computers on the network, which forces pulling through the new IP addy from the main DNS servers.
I also run a caching proxy, squid, in transparent mode (thanks to the help of shorewall). You'd be amazed at how much this speeds up your network - as an example, how often do you go to google.ca during the day? Or msn.com or yahoo.ca? They are small pages, but each one still ends up pulling down a few kb. If its cached, you avoid that. I dropped my internet usage per week by almost half a gig by running a caching proxy.
The last thing that a good gateway is really good for, is irc. I run irssi in a screen session on my gateway, and have passwordless ssh running on that user (very unpriviledged user, so security isn't much a concern, and ssh only runs on local network). All I have to do is ssh fooker@gateway; screen -x and I have my IRC window. I can have it on multiple computers (desktop and lappy are always attatched to it), and I never have to diconnect from irc. Makes getting help allot easier when your internet goes down because of your gateway - because the IRC session is already established, iptable rules no longer apply to it.
Just my 2 cents, PM me if you want help setting anything up
Fooker
_________________
Fooker
25 Jun 2006, 9:22 pm
