Your Ad Here

23 August 2008

Traffic shaping TorrentFlux or Torrent


TorrentFlux is a great program/interface to download your torrents remotely on a linux machine. It is based on php and it uses a modified bittornado client to download the torrents.

The problem: The bittornado client is able to put specific limits on a per torrent basis. That means that you can put a 100kb/sec download and 50kb/sec upload limit per torrent through torrentflux’s web interface. If you have 20 torrents though, this easily becomes 20*50=1Mb/sec upload “limit”. There are cases that you don’t want this to happen and you want both a per torrent limit (eg 50kb/sec) and a global limit (eg 300kb/sec).

The solution: My solution is based on iptables, layer7 filter and tc (iproute2). I am using layer7 filter to pick out the bittorrent packets, iptables to mark those packets with specific values and tc to shape those marked packets into categories. Beware that the method I am using works mostly on the “uploading” part (outgoing traffic). It is not that hard to make it work for the incoming traffic as well, but it is my personal view that downloading with a few Mb/sec is not as harmfull as uploading with a few Mb/sec. I usually have my downloads seeded over many weeks…so it’s good for my ratio to have the torrent downloaded as fast as possible and then seed it endlessly. I usually like to seed until i get a ratio over 1000% per torrent (that means 10 times as much uploaded traffic than downloaded). The following example configs are created for use on a 100mbit line and keeping in mind that outgoing torrent traffic should not exceed 2-2.5Mbits (~250-300kb/sec).

The procedure:
0) Before you begin make sure you have the kernel sources on /usr/src/linux.

1) Then, you need to patch your kernel for layer7 filtering and enable marking. On gentoo linux you only need to:
#emerge -avt net-misc/l7-filter net-misc/l7-protocols 
and then configure your kernel for marking.

Here’s how my netfilter configuration looks like:

CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
# CONFIG_BRIDGE_NETFILTER is not set

#
# Core Netfilter Configuration
#
# CONFIG_NETFILTER_NETLINK is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
# CONFIG_NETFILTER_XT_MATCH_POLICY is not set
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_H323=m
CONFIG_IP_NF_SIP=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_LAYER7=m
# CONFIG_IP_NF_MATCH_LAYER7_DEBUG is not set
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_NAT_H323=m
CONFIG_IP_NF_NAT_SIP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
# CONFIG_IP_NF_RAW is not set
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m

You can clearly see layer7 being enabled as a module: CONFIG_IP_NF_MATCH_LAYER7=m
Rebuild your kernel and install the proper modules. If you need to reboot your machine to apply the new kernel do it now.

2) Now it’s time to install iptables and iproute2 if you don’t have them already. On gentoo linux:

#echo "net-firewall/iptables extensions l7filter" >> /etc/portage/package.use
#emerge -avt net-firewall/iptables sys-apps/iproute2

3) Now it’s the iptables marking time. I am going to show you (some of) the output of my iptables-save command. Change it to fit your neeeds:

# Generated by iptables-save v1.3.5 on Fri Jan 12 20:50:52 2007
*mangle
:PREROUTING ACCEPT [1102387:193393325]
:INPUT ACCEPT [1102372:193390208]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2100485:2922693566]
:POSTROUTING ACCEPT [2100483:2922690566]
-A PREROUTING -s IP.OF.MACHINE -p tcp -m multiport --sports 22,80 -j MARK --set-mark 1001
-A PREROUTING -d IP.OF.MACHINE -p tcp -m multiport --dports 22,80 -j MARK --set-mark 1001
-A PREROUTING -m layer7 --l7proto ssh -j MARK --set-mark 1001
#-A PREROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 11090
-A PREROUTING -m mark --mark 1001 -j RETURN
-A POSTROUTING -s IP.OF.MACHINE -p tcp -m multiport --sports 22,80 -j MARK --set-mark 1001
-A POSTROUTING -d IP.OF.MACHINE -p tcp -m multiport --dports 22,80 -j MARK --set-mark 1001
-A POSTROUTING -m mark --mark 1001 -j RETURN
-A POSTROUTING -m connmark --mark 0x0 -j MARK --set-mark 11030
-A POSTROUTING -m layer7 --l7proto dns -j MARK --set-mark 11010
-A POSTROUTING -m layer7 --l7proto ssh -j MARK --set-mark 11010
-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 11010
-A POSTROUTING -p icmp -j MARK --set-mark 11010
-A POSTROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 11090
COMMIT
# Completed on Fri Jan 12 20:50:52 2007
# Generated by iptables-save v1.3.5 on Fri Jan 12 20:50:52 2007
*nat
:PREROUTING ACCEPT [407:30699]
:POSTROUTING ACCEPT [111:6662]
:OUTPUT ACCEPT [111:6662]
COMMIT
# Completed on Fri Jan 12 20:50:52 2007
# Generated by iptables-save v1.3.5 on Fri Jan 12 20:50:52 2007
*filter
:INPUT ACCEPT [266369:32040284]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [479227:676859047]
COMMIT
# Completed on Fri Jan 12 20:50:52 2007

You need to change IP.OF.MACHINE with the IP of your linux box.

4) And now the traffic shaping part:

# Main Link
LINK=100000
SHAPEDLINK=50000
# High Priority
HIGHPRIO=10000
HIGHPRIO_MAX=$SHAPEDLINK
# Normal
NORMAL=512
NORMAL_MAX=$SHAPEDLINK
# Downloads
TOR=512
TOR_MAX=2048
# del old
tc qdisc del dev $DEV root 2> /dev/null > /dev/null
# add root
tc qdisc add dev $DEV root handle 100: htb default 1
tc class add dev $DEV parent 100: classid 100:1 htb rate ${LINK}kbit
tc qdisc add dev $DEV parent 100:1 handle 1: htb
tc class add dev $DEV parent 1: classid 1:1 htb rate ${SHAPEDLINK}kbit
# some more rules
tc class add dev $DEV parent 100: classid 100:1 htb rate ${LINK}kbit
tc qdisc add dev $DEV parent 100:1 sfq perturb 10
tc filter add dev $DEV parent 100:0 protocol ip prio 1 handle 1001 fw flowid 100:1
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${SHAPEDLINK}kbit ceil ${SHAPEDLINK}kbit prio 5
tc qdisc add dev $DEV parent 1:10 sfq perturb 10
# High priority
tc class add dev $DEV parent 1:10 classid 1:1010 htb rate ${HIGHPRIO}kbit ceil ${HIGHPRIO_MAX}kbit prio 0
tc qdisc add dev $DEV parent 1:1010 sfq perturb 10
tc filter add dev $DEV parent 1:0 protocol ip prio 0 handle 11010 fw flowid 1:1010
# normal
tc class add dev $DEV parent 1:10 classid 1:1030 htb rate ${NORMAL}kbit ceil ${NORMAL_MAX}kbit prio 5
tc qdisc add dev $DEV parent 1:1030 sfq perturb 10
tc filter add dev $DEV parent 1:0 protocol ip prio 5 handle 11030 fw flowid 1:1030
# bittorent
tc class add dev $DEV parent 1:10 classid 1:1090 htb rate ${TOR}kbit ceil ${TOR_MAX}kbit prio 10
tc qdisc add dev $DEV parent 1:1090 sfq perturb 10
tc filter add dev $DEV parent 1:0 protocol ip prio 10 handle 11090 fw flowid 1:1090

The rules are pretty straightforward…so I am not going to fully explain them. The basic concept is that you create a “shaped” partition of your bandwith and you add classes (high priority, normal , bittorrent) there. The trick is that you can skip anything you don’t want shaped by marking it with iptables 1001 mark.

In my iptables example above, I mark as 1001 the outgoing ssh and http traffic. This way I can shape the seeding of my torrents using TorrentFlux but I can download via http without any traffic shaping the torrents to my PC at home. I can also ssh to the machine without any latency caused by the shaping because the sshd port (22) is marked with 1001.

The only problem I faced with those scripts was that sometimes the layer7 filter for bittorrent let’s some torrent traffic pass by. My solution to that was to change NORMAL_MAX=$SHAPEDLINK to NORMAL_MAX=2048 for example. Then, even “normal traffic” was shaped. Remember that anything I didn’t want shaped, was marked as 1001 on the iptables script…so the machine was still very responsive even after shaping the “normal traffic”.

To check how your scripts are doing in terms of shaping you can download this excellent perl script: tc-viewer. Click here for a screenshot: tc-viewer htb screenshot

The above example configs are very very generic. If you have a server that serves many other duties apart from ssh, http and bittorrent, then this script might not work out of the box for you.

*Update*
It looks like the problem I had with layer7 bittorrent filter missing packets was not actually a layer7’s “problem”, but rather a new feature of the latest version of bittornado. I was using bittornado version 0.3.18 (experimental) which is the first bittornado version that comes with Message_Stream_Encryption. What this means: whenever bittornado finds another peer with encryption capabilities, it encrypts all traffic between you and the other peer, so the layer7 filter cannot understand that these flows are torrent traffic anymore, and categorizes them as “normal” traffic. That’s why I needed to “shape” normal traffic as well.
There are three ways to cope with encrypted bittorrent traffic. The first one is the one I described above without even knowing about it (shaping normal traffic). The second way is to go back to a version without encryption (0.3.17), which I think is a _really_ bad idea. Encryption came to help us hide our traffic from ISP filters, and is a step we can all take to protect ourselves. The third way is to mark the port range that torrentflux uses (check the admin panel of torrentflux for it) as torrent traffic by our iptables script. If the port range is high enough it can be almost certain that no other service will use those ports, so no priority traffic will be mis-matched as “torrent traffic”. If, for example, you have defined your port range to be from port 61000 to port 63000, then inject a command like:
-A POSTROUTING -p tcp --sport 61000:63000 -j MARK --set-mark 11090
just below the
-A POSTROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 11090
command of the iptables script above.

Enjoy shaped encrypted bittorent uploads! Keep seeding… 

21 August 2008

Reviewed Seven Different Linux/BSD Router Firewalls

Did you know more than 500 million computers in the United States have been disposed of in the last 10 years?

That’s approximately 2 computers per person! One of the best ways to re-purpose an old computer is to install a Linux or FreeBSD firewall distribution, and use it to run your personal, home office, or small office network is one way to keep “obsolete” technology from ever reaching a landfill.

Help the environment by reusing an old computer as a firewall. It will protect your computer from internet worms, save you time, money and most importantly - improve your internet experience as a whole.

Fact: A wireless router at an electronics store that can cost in excess of $100 is actually slower than any computer made in the last decade. Really! Most routers off the shelf at a store only have a 200MHz processor and 16MB of RAM.

By today’s standards, the 500MHz computer that’s been running quietly in my closet for the past 3 years is beyond obsolete. More than ten generations of processors have come and gone since this computer rolled off the assembly line.

Keep that wallet in your pocket, don’t be a sucker and spend lots of money on a slow, horrifically overpriced home networking product. There’s a good reason why companies like Linksys (a division of Cisco), Netgear and D-Link are worth multi-billions of dollars and continue to climb. Consumer spending on products with home network connections will reach over 17 billion dollars this year.

Here’s the criteria each platform is graded on:

  • Installation & Configuration
  • SSH
  • VPN
  • Graphical Interface
    • Ease of Use
    • Functionality
    • Style
  • Extensibility (Add-ons, Plugins, etc)
  • Speed Testing

Each item in the list is given a value of 1 to 10 (10 being the highest), then averaged to obtain the final score.

hp_vectra2.pngThe testing platform we are using today is an HP Vectra slimline PC. Considering the computer was FREE (as in beer) after a company upgraded their workstations, the specifications are nothing to scoff at.

  • Pentium III 500 MHz
  • 192MB of RAM
  • 1GB Transcend disk-on-chip IDE module
  • Dual 100Mbps NICs

We’re taking a look at no less than seven different firewall products today:

Firewall Graph

I’d like to draw your attention to the size column. Size is NOT everything (that’s what she said) when it comes to firewall distributions. Wireless routers that may run your home or office network right now pack a ton of functionality into a package as small as 2 megabytes. FreeBSD, Redhat, and Debian are the building blocks for these home networking appliance distributions.

Let’s take a look at each one in more detail.

ClarkConnect Clark Connect Logois a BEAST - in a good way. It’s really hungry for a faster processor than I can throw at it. The list of features really blow everything out of the water. It’s not just a router or firewall platform, it’s like someone asked themselves a question: “What is EVERYTHING a small office could EVER need in a networking server?” ClarkConnect provides three different robust VPN connectivity solutions using IPSec, PPTP, OpenVPN, along with web proxy and web filtering. Additionally, it provides an SSH server, Quality of Service (QoS) filtering for common P2P applications, Intrusion Detection, and much, much more including email server, file, print, database and web serving. Not to mention a fairly comprehensive group ware suite, which has calendar, contact, tasks lists, and provides a paid option for using Microsoft Outlook Connector to allow everything to go right into Microsoft Office Outlook.

ClarkConnect is certainly a jack of all trades. Doing everything is great, but how well does ClarkConnect do it? On the testbed, installation was easy, and had an informative installation progress screen. The first time running through the installer, there was a problem with not having enough disk space. After rebooting and trying again, I chose to utilize Disk Druid, a partitioning program - instead of the auto-partition mode. Everything worked just fine after that. I believe the problem lies with the testbed - 1GB of space is not alot to work with, but fortunately they provide a manual partitioning method. It also prompts to create a GRUB (bootup) password, so that if the device is physically compromised, it would be more difficult for someone to maliciously (or accidentally) make changes to the system.

Configuration was an overall negative experience. It got confusing, not to mention frustrating. A small business owner who doesn’t know much about networking or computers, would be best to consider hiring a professional to do the initial installation, or paying for a yearly support contract from the vendor, or for a single incident. An interesting feature ClarkConnect leverages very well during configuration stages is a graphical interface to the system. Every other firewall reviewed here either has a very sparse text-mode or console configuration. ClarkConnect wants to make it easier. Just point and click to configure the system, which is nice - but it does not contain all of the features as the text-mode configuration tool which is also provided.

The Web Graphical Interface is easy to use. Items are categorized in a logical fashion and it doesn’t take much hunting to find something you want, if you don’t know where exactly it is in the menu. Style-wise, ClarkConnect is the only option in this roundup that provides a theme switcher - it is possible to use a very slick, visually appealing interface, or with a few clicks, just change to another theme which is less eye-candy, but probably more familiar to most people who have configured a wireless router in the past.

Many companies, like ClarkConnect, release a “community” version as well as a paid version which includes more features and support options, add-ons such as email and virus scanning is available on a subscription basis, and with so many features to start out with you might not need anything else to help to run a small business.

gatewayclarkconnectlan-dashboard.pnggatewayclarkconnectlan-current-status.pnggatewayclarkconnectlan-system-statistics.pnggatewayclarkconnectlan-dhcp-server.png

gatewayclarkconnectlan-software-registration.pnggatewayclarkconnectlan-critical-updates.pnggatewayclarkconnectlan-running-services.pnggatewayclarkconnectlan-webconfig-settings_3x.png

gatewayclarkconnectlan-webconfig-settings_4x.pnggatewayclarkconnectlan-webconfig-settings_huron.pnggatewayclarkconnectlan-encrypted-file-system-manager.pnggatewayclarkconnectlan-official-modules.png

Consider IPCopIPCop Logo to be the baseline for features, usability and extensibility. The installation CD is simple, but employs a non-linear configuration that some may have difficulty using the first time around. A nice touch is including MemTest86 on the CD and including that as an option on the initial bootup. The program will systematically test your RAM and determine if there is a fault, and as a computer gets older, the likelihood of that happening becomes more of a reality.

The auto-partitioner worked great, unfortunately the installation procedure does have one glaringly obvious flaw. When the setup routine attempts to detect network cards, it cycles through every single network card that is supported. After the first card is detected, it prompts you to set that as the “GREEN” interface, also known as the LAN. Once it’s found the first NIC and assigned it to LAN, you can’t change it to “RED” or as the WAN interface. Mildly annoying, but thankfully the workaround is pretty simple, just reboot and start it again.

The web-based configuration tool is absolutely simple. Setting up SSH is just a checkbox away. VPN support is focused on a solution to provide IPCop-to-IPCop connectivity, but an OpenVPN add-on exists. Speaking of addons, there is a HUGE modding community devoted to adding features into IPCop. The webGUI style is in a word, tacky. It’s a good thing that it can be easily modified. A few changes to colors and background images later, it looks much, much better. Functionality-wise, IPCop makes it easy to forward ports, but does keep a few ports to itself that you cannot utilize, such as port 222 for SSH. Printing is not an option. I haven’t been able to find any 3rd party modification that allows print serving. The graphs are simplistic, yet very informative.
ipcop-main-page.pngipcop-updates.pngipcop-remote-access.pngipcop-status-information.png
ipcop-system-graphs.pngipcop-network-traffic-graphs.pngipcop-dhcp-configuration.pngipcop-traffic-shaping-settings.png
ipcop-port-forwarding-configuration.png

monowallmonowall.png is by far, the smallest of the bunch. The entire thing is contained in a measly 8 MB CD image! monowall is first and foremost, a routing platform. Nothing more, nothing less. The distribution comes in two flavors, either for embedded systems or for regular PCs. Installation the first time around may be difficult for a beginner, since it refers to network cards by their FreeBSD driver name, instead of something a human can easily interpret. Which is easier to understand: “fxp0″ or “Intel Pro 10/100+”? Why not provide both peices of information to the user?

VPN is well supported with both IPSec and PPTP options. SSH access can be enabled by a 3rd party add-on. Print serving is unsupported. The configuration page for monowall uses K.I.S.S. (Keep It Simple Stupid) to great effect. It’s brain-dead simple to set things up. However, two things stand out as being somewhat awkward, those being static DHCP and advanced settings. Otherwise, it’s fantastic. Ever had P2P traffic slow down your internet surfing? Check one single box in the GUI, and instantly you have over 20 different protocols that are instantly filtered using QoS to make your internet surfing experience as pleasant as possible.

Add-ons are not easy to incorporate, and require modification of the ISO image, but monowall is not designed to be anything more than a router and firewall. Extra features like a wireless AP feature that can be used with the captive portal function, Wake on LAN interface, and probably the smallest feature I could point out - the uptime is printed on the console when rebooting. Small things like that show an extremely polished software platform that delivers.

m0n0walllocal-system-general-setup.pngm0n0walllocal-status-cpu-load.pngm0n0walllocal-status-traffic-graph.pngm0n0walllocal-firewall-traffic-shaper-magic-shaper-wizard.png

m0n0walllocal-firewall-rules-edit.pngm0n0walllocal-status-interfaces.png

pfSensepfSense Logo is a hybrid of sorts, that has multiple sources for it’s major components. It was originally derived from monowall, but uses OpenBSD’s ported Packet Filter, a package management system to provide an integrated extensibility to the platform and Alternate Queuing (ALTQ) from FreeBSD. This Frankenstein is no slouch when it comes to performance, features and usability.

Installation uses the same monowall device naming system which is clunky, and also does not provide the entire name of the device. Once installed, the console has several options, one of those which is a program called “pfTop”, if you’ve ever needed to be able to view where most of your network bandwidth is being used from a console, now you can very easily.

The web GUI is absolutely fantastic. It’s got initial setup & traffic shaping wizards, a captive portal, load balancer (nice!), OLSR (ad-hoc wireless AP mode), Wake on LAN wizard, different selectable themes for the GUI, OpenVPN, IPSec, and PPTP VPN are all included by default, failover, and packet capturing!

Wizards for traffic shaping and initial setup - not anything new, almost any router you can buy today has them, but when you see them for the first time included in a firewall distribution, it’s great to see changes that make a product easier to use. No other firewall we’ve looked at has three different VPN options.

pfsenselocal-pfsense-webgui.pngpfsenselocal-system-advanced-functions.pngpfsenselocal-system-general-setup.pngpfsenselocal-pfsense-setup-wizard.png

pfsenselocal-general-information.pngpfsenselocal-configure-wan-interface.pngpfsenselocal-configure-lan-interface.pngpfsenselocal-pfsense-traffic-shaper-wizard.png

pfsenselocal-pfsense-traffic-shaper-wizard2.pngpfsenselocal-pfsense-traffic-shaper-wizard3.pngpfsenselocal-pfsense-traffic-shaper-wizard4.pngpfsenselocal-pfsense-traffic-shaper-wizard5.png

pfsenselocal-pfsense-traffic-shaper-wizard6.pngpfsenselocal-pfsense-traffic-shaper-wizard7.pngpfsenselocal-status-interfaces.pngpfsenselocal-status-traffic-graph.png

pfsenselocal-diagnostics-packet-capture.png

SmoothWall’sSmoothwall Logo installation is simplistic, and the GREEN/RED interface descriptions are an easy idea to grasp. One of the best features is a Java SSH client that runs right in the web interface - slick. Smoothwall’s VPN is designed to connect multiple Smoothwalls to each other, but IPSec is supported fully, and addons can be found for other VPN implementations.

The web interface is easy to navigate. This is the only product to provide a Java SSH client that runs right in the WebGUI - very nice. The real-time traffic graphs are a great addition. Add-ons for Smoothwall 3.0 are plentiful and usually easy to install, if you can think of it, it probably exists. my.smoothwall is integrated into the web configuration tool, and provides some basic integration into the smoothwall website. Free services like dynamic DNS are available, along with paid features as well.

The IM proxy is the best I’ve seen. Once it’s enabled, every incoming and outgoing IM conversation is logged. After opening up a few channels in IRC - in real-time - it’s possible to view any conversation going through the firewall. MSN, AIM, and other protocols are supported as well. It’s a big-brother feature, but if you want to monitor who you children are talking to, or for whatever reason, I can see it being an invaluable resource to monitor what is going on in a network you control. It would almost be easier to keep track of conversations using the logging tool in Smoothwall instead of multiple instant messenger clients.

main-page-smoothwall-express.pngregister-and-credits-smoothwall-express.pngmysmoothwall-profilesmoothwall-profile.pngmysmoothwall-profilesmoothwall-profile2.png

status-information-smoothwall-express.pngadvanced-status-information-smoothwall-express.pngrealtime-bandwidth-bars-smoothwall-express.pngnetwork-traffic-graphs-smoothwall-express.png

im-proxy-configuration-smoothwall-express.pnginstant-messenger-proxy-logs-smoothwall-express.pngdhcp-configuration-smoothwall-express.pngdynamic-dns-smoothwall-express.png

traffic-configuration-smoothwall-express.pnginterfaces-configuration-smoothwall-express.pngupdates-smoothwall-express2.pngsmoothwall-ssh-java.png

Endian and Gibraltar are not included in the final results due to not finishing testing.

EndianEndian Logo “is very easy to install, use and manage, without losing its flexibility.” I had a completely different experience. Although Endian is only 106 MB and would easily fit within the 1GB limitation of our testbed, installation failed at 96% - reporting that there was not enough space on the drive.

The installer for Endian has hard-coded values for the suplementary filesystems /var and swap. There is no minimum system requirements listed on their website that I can find, and I checked online for solutions to this problem. The best solution provided was to install Endian to another hard drive, resize the partitions to fit on the smaller disk, then copy it back using an disk imaging software. That workaround does not constitute “easy to install” by any stretch of the imagination.

GibraltarGibraltar Logo is a close match to every other distribution we’ve looked at so far, with a few nice touches. Their website says that they have the following feature at first look, seems pretty kickass: “Anonymisation Gateway: The Gibraltar Anonymisation Gateway makes your overall network traffic anonymous and it makes sure you can surf in the internet anonymously.”

To activate the firewall you must obtain a license key (for free) from their website. Unfortunately, that feature on Gibraltar’s site does not appear to be working properly. I’ve tried multiple times to request a key, and it said one was on it’s way - but never arrived. About a day later I requested a key once again, and was informed that a key already exists for my email address. Not good. Right before publishing this article I finally received a key via email, and it appears that the license key process is not automated, unfortunately. We’ll take a look at it next time around.

Conclusion:

The scoring system gives equal favor to the following categories: Setup, WebGui, Extensibility, and Speed Testing. Each of the distributions passed the speed test with flying colors, with less than 5% margin between highest and lowest scores. It’s difficult to assign arbitrary numbers to reach a score, and I’ve attempted to provide a good metric for which someone can go by to determine which is best for them.

Overall Score

In the end, pfSense is ultimately the best choice overall and provides the best value of all we have looked at today.