Re: Smallest Fedora box to use as gateway/firewall/VPN

[George N. White III]

On Wed, 9 Jan 2019 at 00:52, Samuel Sieb  wrote:

> On 1/8/19 4:52 PM, George N. White III wrote:
> > Avoid USB NIC's. Have a look at pfSense
>
> What is wrong with USB network devices?  The USB3 ones can even do
> Gigabit and they work well.
>

A router/firewall has to process lots od small packets where latency is
more of an issue than raw transfer rates.   USB3 is much better than
USB2, but there are still extra function calls and you are relying on
the quality of the USB3 drivers as well as the ethernet driver.  Most
reviews of USB3 ethernet devices only consider a desktop role, so
may not reflect suitability for router/firewall service.

[...]


-- 
George N. White III
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Tim via users]

Rick Stevens wrote:
>> Fedora changes every 6 months--sometimes in major ways that are not
>> necessarily backwards compatible with existing systems.

John Harris sent:
> Oh, never mind, there it is. You never meant stable, you meant "It
> updates too often for me to figure out how to manage."

Stable has more than one meaning.  Here's just two:

It's stable if it keeps running, and doesn't crash.

It's stable if it the way it works doesn't keep changing.  This isn't
just how you interface with the thing, it's also how other software
interfaces with each other.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 4.16.11-100.fc26.x86_64 #1 SMP Tue May 22 20:02:12 UTC 2018 x86_64

Boilerplate:  All mail to my mailbox is automatically deleted.
There is no point trying to privately email me, I only get to see
the messages posted to the mailing list.

Programmers who can't take criticisms shouldn't release software that's
so crap it seriously pisses people off.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Rick Stevens]

On 1/10/19 5:37 PM, Outback Dingo wrote:
> On Fri, Jan 11, 2019 at 3:06 AM John Harris  wrote:
> 
> Sorry, one decision for a firewall on low cost hardware with features
> should definitely be OPNSense

I guess it depends the definition of "low cost hardware" and what the OP
really wants to do. OPNSense, at a minimum, requires:

Single core x86-32 or x86-64 CPU
4GB mass storage
512MB RAM
Adequate PCI slots to support the NICs required.

Recommended hardware is:

Multi-core x86-32 or x86-64 CPU
120GB mass storage
4GB RAM
Adequate PCI slots to support the NICs required.

and they claim it can do 750Mbps+ throughput with the recommended
hardware config. OPNSense offers more features than OpenWRT (it is a
customized FreeBSD implementation after all). That being said, OpenWRT
only requires a $150 wireless router for hardware and is stripped down
to do just what a router/firewall/VPN is expected to do and not much
else. If that's what the OP wants, then that's _my_ recommendation and
it's at a lower cost than a minimum hardware OPNSense platform.

Your mileage may vary. Batteries not included. Some assembly required.
--
- Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
- AIM/Skype: therps2ICQ: 226437340   Yahoo: origrps2 -
--
-I'm afraid my karma just ran over your dogma-
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Outback Dingo]

On Fri, Jan 11, 2019 at 3:06 AM John Harris  wrote:

Sorry, one decision for a firewall on low cost hardware with features
should definitely be OPNSense
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[John Harris]

On Thursday, January 10, 2019 2:45:39 PM EST Rick Stevens wrote:
> It's compatibility with _existing_ software that's in question here. Is
> Fedora stable? Well, most of the time. Not always. Upgrades sometimes
> screw the boot environment or corrupt the initrd or any of may other
> issues. Kernel changes (even minor ones) can wreak havoc with some
> software.

When you refer to "compatibility", do you mean ABI breakage? ABI breakage is a 
good thing.

As far as boot environment changes, this is one issue I can't say I've ever 
had, and I use dracut in literally very conceivable way over the course of  
hundreds of systems, with combinations of custom kernels, Fedora kernel and 
Linux-libre from the Freed-ora project.

> When clients are dependent on the systems remaining up, you have to give
> them something that doesn't change constantly or at the very least stays
> in the same "family". If it's just YOUR stuff, then fine, have at it.
> I'm the one that gets poked with pointy sticks if a client's software
> isn't compatible with new OSes and it's not pleasant.

I completely agree. So you give them Fedora, and don't change to a different 
distro when an update comes around.

> You're being silly. There are MANY cases where existing software simply
> will not farking work on newer OSes due to lack of backwards
> compatibility, structure changes, default parameters, whatever. When F26
> abandoned webkit1, a lot of user-level web stuff broke.

Yep. And we moved on.


> The switch from PHP3 to PHP4/5 caused grief.

Hold on for the move to PHP7.

> Switching from Java 7 to Java 8 broke many things.

Sure, but there's a simple fix for this. Install OpenJDK 7 and run with that 
directly, or even change the default on your systems to OpenJDK 7, using 
`alternatives`.

> Python changes have always been painful.

I wish I could say "I wouldn't know", but clients complain about it a lot. 
I've had to teach several people how to use python3, which, unfortunately, 
meant learning Python.

> When the kernel went from 3 to 4, a HUGE amount of lower-level things broke 
> (some hardware was no longer supported, drivers couldn't be compiled, etc., 
> etc.).

It was silly for hardware to be dropped, but I don't know what you mean when 
you say "drivers couldn't be compiled".

> Even minor upgrades can cause massive grief. Look at the issues that
> occurred when OpenSSH devalued certain ciphers so suddenly you couldn't
> log into certain devices that used those ciphers without buggering
> your openssh.conf file or re-enabling the ciphers on the command line.

This one is mind blowing. I cannot believe you're actually suggesting that 
you'd rather have insecure systems than upgrade to more secure ciphers.

> Again, if they're running YOUR code and programs, you have much more
> freedom. The vast majority of us aren't in the same position. I must
> supply platforms that support existing code and programs that neither we
> nor our customers wrote and that just flat aren't compatible with newer
> OSes. I've been in this game >40 years. I know of which I'm speaking.

This attitude is precisely why there aren't as many Windows servers as there 
are GNU/Linux servers.

> On top of that, if what you're saying is true then Red Hat should adopt
> every single Fedora release as the latest RHEL. Using your criteria, F29
> should be Red Hat 8. It's stable, why not? F30 should become Red Hat 9
> by the same reasoning. So, why does Red Hat wait for major changes to
> Fedora to accumulate and stabilize for a year or two before adopting it?
> Because they, as I, have to support old stuff and they know (as I do)
> that it's not feasible to do so.

Red Hat thrives on supporting legacy code, exactly what you suggest you're 
doing, but in a different context. They provide exactly what is necessary by 
way of updates, but not much else. RHEL is so far behind, it's not even funny.

> How well do your non-upgraded Windows 7 apps run on Windows 10, eh?

I wouldn't know, I don't run Windows on anything, but considering Microsoft's 
big thing has always been legacy support, and they proudly boast that you can 
run 27 year old code without recompiling, I'd imagine fairly well.

> Then talk to Cisco. I can pretty much guarantee it's not going to
> happen. IOS does what it does well and they offer CSE status if you're
> willing to pay for the training and testing process. I'm not a CSE, just
> a poor bloke who was handed the network keys and was told to "keep it
> running." Any certification I have is via UHK (the University of Hard
> Knocks), from which I've graduated summa cum laude.

No, the solution has nothing to do with Cisco. We need to move away from their 
proprietary hardware, and towards libre solutions such as running our own 
router software on our on boxes. For example, my home network is a 10G network 
run from a GA-G41M-ES2L board running coreboot + Fedora with Freed-ora-
freedom. Certifications are meaningless. We have access to the 

Re: Smallest Fedora box to use as gateway/firewall/VPN

[John Harris]

On Thursday, January 10, 2019 1:59:56 PM EST Tom Horsley wrote:
> On Thu, 10 Jan 2019 13:43:11 -0500
> John Harris wrote:
> 
> 
> > Fedora is always in a stable 
> > condition at release.
> 
> 
> I can't count the number of times moving to the next
> fedora release has broken stuff requiring me to fall back
> on the old version till things get fixed. Every fedora
> new release always comes with a "known bugs" web page
> that everyone complains doesn't include their bug :-).

There will always be bugs. Using an older version is not really a fix.

> I use fedora, not for its great stability, but because
> our software needs to run on redhat and centos and
> fedora gives me an early warning of things that will
> be broken when they show up in the next centos release
> so I can already have work arounds or bug fixes in place
> by then.

That's a great idea. I do something similar, but I've always got everything 
close to the bleeding edge. My personal devices run rawhide or branched, 
everything else runs the latest release.

-- 
John M. Harris, Jr. 
Splentity
https://splentity.com/

signature.asc
Description: This is a digitally signed message part.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Rick Stevens]

On 1/10/19 10:43 AM, John Harris wrote:
> On Thursday, January 10, 2019 1:16:11 PM EST Rick Stevens wrote:
>> If I may offer my $0.02, Fedora on production systems is not a great
>> idea. We manage well over 2000 servers each in two data centers. The
>> vast majority (>85%) are CentOS-based because of its relative stability.
>> The remainder are generally Ubuntu LTS-based, again because of its
>> relative stability.
> 
> Fedora is great for production systems. I think it's wild that people keep 
> saying otherwise, and they consistently list CentOS as being the better 
> option. The only major difference is that Fedora has more frequent updates. 
> That does not make it unstable, for sure. Fedora is always in a stable 
> condition at release.

It's compatibility with _existing_ software that's in question here. Is
Fedora stable? Well, most of the time. Not always. Upgrades sometimes
screw the boot environment or corrupt the initrd or any of may other
issues. Kernel changes (even minor ones) can wreak havoc with some
software.

When clients are dependent on the systems remaining up, you have to give
them something that doesn't change constantly or at the very least stays
in the same "family". If it's just YOUR stuff, then fine, have at it.
I'm the one that gets poked with pointy sticks if a client's software
isn't compatible with new OSes and it's not pleasant.

>> Fedora changes every 6 months--sometimes in major ways that are not
>> necessarily backwards compatible with existing systems.
> 
> Oh, never mind, there it is. You never meant stable, you meant "It updates 
> too 
> often for me to figure out how to manage."

You're being silly. There are MANY cases where existing software simply
will not farking work on newer OSes due to lack of backwards
compatibility, structure changes, default parameters, whatever. When F26
abandoned webkit1, a lot of user-level web stuff broke. The switch from
PHP3 to PHP4/5 caused grief. Switching from Java 7 to Java 8 broke many
things. Python changes have always been painful. When the kernel went
from 3 to 4, a HUGE amount of lower-level things broke (some hardware
was no longer supported, drivers couldn't be compiled, etc., etc.).

Even minor upgrades can cause massive grief. Look at the issues that
occurred when OpenSSH devalued certain ciphers so suddenly you couldn't
log into certain devices that used those ciphers without buggering
your openssh.conf file or re-enabling the ciphers on the command line.

>> It is very cumbersome to update 3000+ servers every 6 months and
>> deal with the compatibility issues that crop up. We have to deal with
>> those when CentOS or Ubuntu gets a major upgrade (such as CentOS6
>> -> CentOS7), but that happens every couple of years and is far more
>> manageable. As far as security is concerned, any significant security
>> patches are generally backported to CentOS and Ubuntu and applied
>> when they come out. The few cases where a patch can't be applied,
>> well, those are fairly rare and dealt with as what they are...exceptions
>> to the general rule.
> 
> Not at all. This is, in fact, why we have deterministic tools to manage 
> systems. I personally manage well over 1.5k production servers, and a few 
> hundred on-premises servers, all running the latest release of Fedora, with 
> the exception being that I run them with Freed-ora-freedom.

Again, if they're running YOUR code and programs, you have much more
freedom. The vast majority of us aren't in the same position. I must
supply platforms that support existing code and programs that neither we
nor our customers wrote and that just flat aren't compatible with newer
OSes. I've been in this game >40 years. I know of which I'm speaking.

On top of that, if what you're saying is true then Red Hat should adopt
every single Fedora release as the latest RHEL. Using your criteria, F29
should be Red Hat 8. It's stable, why not? F30 should become Red Hat 9
by the same reasoning. So, why does Red Hat wait for major changes to
Fedora to accumulate and stabilize for a year or two before adopting it?
Because they, as I, have to support old stuff and they know (as I do)
that it's not feasible to do so.

How well do your non-upgraded Windows 7 apps run on Windows 10, eh?

>> At the network level, our VPNs and core routers are Cisco, our edge
>> switches are Foundry. We have two 10Gbps uplinks to the Internet so
>> smaller hardware is not an option. Fortunately, I'm well versed in these
>> beasties as Cisco IOS isn't a particularly intuitive system.
> 
> This is common, and I personally believe that we need to fix this.

Then talk to Cisco. I can pretty much guarantee it's not going to
happen. IOS does what it does well and they offer CSE status if you're
willing to pay for the training and testing process. I'm not a CSE, just
a poor bloke who was handed the network keys and was told to "keep it
running." Any certification I have is via UHK (the University of Hard
Knocks), from which I've 

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Tom Horsley]

On Thu, 10 Jan 2019 13:43:11 -0500
John Harris wrote:

> Fedora is always in a stable 
> condition at release.

I can't count the number of times moving to the next
fedora release has broken stuff requiring me to fall back
on the old version till things get fixed. Every fedora
new release always comes with a "known bugs" web page
that everyone complains doesn't include their bug :-).

I use fedora, not for its great stability, but because
our software needs to run on redhat and centos and
fedora gives me an early warning of things that will
be broken when they show up in the next centos release
so I can already have work arounds or bug fixes in place
by then.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[John Harris]

On Thursday, January 10, 2019 1:16:11 PM EST Rick Stevens wrote:
> If I may offer my $0.02, Fedora on production systems is not a great
> idea. We manage well over 2000 servers each in two data centers. The
> vast majority (>85%) are CentOS-based because of its relative stability.
> The remainder are generally Ubuntu LTS-based, again because of its
> relative stability.

Fedora is great for production systems. I think it's wild that people keep 
saying otherwise, and they consistently list CentOS as being the better 
option. The only major difference is that Fedora has more frequent updates. 
That does not make it unstable, for sure. Fedora is always in a stable 
condition at release.

> Fedora changes every 6 months--sometimes in major ways that are not
> necessarily backwards compatible with existing systems.

Oh, never mind, there it is. You never meant stable, you meant "It updates too 
often for me to figure out how to manage."

> It is very cumbersome to update 3000+ servers every 6 months and
> deal with the compatibility issues that crop up. We have to deal with
> those when CentOS or Ubuntu gets a major upgrade (such as CentOS6
> -> CentOS7), but that happens every couple of years and is far more
> manageable. As far as security is concerned, any significant security
> patches are generally backported to CentOS and Ubuntu and applied
> when they come out. The few cases where a patch can't be applied,
> well, those are fairly rare and dealt with as what they are...exceptions
> to the general rule.

Not at all. This is, in fact, why we have deterministic tools to manage 
systems. I personally manage well over 1.5k production servers, and a few 
hundred on-premises servers, all running the latest release of Fedora, with 
the exception being that I run them with Freed-ora-freedom.

> At the network level, our VPNs and core routers are Cisco, our edge
> switches are Foundry. We have two 10Gbps uplinks to the Internet so
> smaller hardware is not an option. Fortunately, I'm well versed in these
> beasties as Cisco IOS isn't a particularly intuitive system.

This is common, and I personally believe that we need to fix this.

> For a router/VPN gateway in a SOHO environment (even some medium-sized
> cases), I'd go along with those who recommended using OpenWRT on
> inexpensive router hardware. It is Linux-based and optimized for use on
> such devices. It is relatively easy to manage via its web-based GUI and
> does its job quite well. Fedora or any full-up Linux system, is (IMHO)
> overkill in such cases.

A complete Fedora installation would be an excellent, incredibly flexible 
router.

-- 
John M. Harris, Jr. 
Splentity
https://splentity.com/

signature.asc
Description: This is a digitally signed message part.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Rick Stevens]

On 1/9/19 7:20 PM, Robin Laing wrote:
> On 08/01/2019 17:52, George N. White III wrote:
>> On Tue, 8 Jan 2019 at 12:10, Alex > > wrote:
>>
>>     Hi,
>>     I need a gateway for our new office. I'd like it to run Fedora. What
>>     are my options? I'd like to be able to do the following:
>>
>>    - provide VPN back to the main office
>>    - provide basic masquerading of hosts on inside network
>>    - be small enough to fit on a shelf. Preferably fanless
>>    - web-based administration
>>    - ssh access
>>
>>
>> Have a look at https://www.pcengines.ch/apu2.htm  These offer 2 or 3
>> ethernet
>> ports, small form factor, and fanless.  Fedora is not a good choice
>> for this
>> role unless you are willing to devote time and effort to testing new
>> versions
>> as they appear.  In that case you would want a couple systems so each new
>> release could be tested before going into serivice.   Pcengines has
>> centos7
>> images for apu systems.
>>
>>     We're experienced admins, so a simple interface isn't specifically
>>     necessary, but desired.
>>
>>     It's only for a few remote office workers, so it doesn't have to be
>>     particularly powerful, but should be responsive enough to support
>>     regular ssh and VPN activity.
>>
>>
>> Avoid USB NIC's.     Have a look at pfSense
>> 
>> -- 
>> George N. White III
>>
>>
> 
> Working on this as well.
> 
> I have looked at pfSense and I am also looking at OPNsense
> 
>  https://opnsense.org/   
> 
> I have a friend that uses pfsense for a small network at a resort and
> does remote admin when required.  For wireless he uses dedicated access
> points.  IPFire looks interesting but it looks like it wants to be more
> than a firewall/gateway.
> 
> https://www.ipfire.org/
> 
> The one point my friend mentions is using seperate network ports for the
> various vlans and combine at the firewall.  He prefers this method for
> his network.
> 
> I would look at a fanless solution as well.  We have had some Intel
> based units that have been major problems with heat.  Needed to be in
> cool rooms all the time.  Cannot remember the name though.
> 
> pfSense has a list of recommended hardware for throughput bandwidth.
> 
> http://pfsensesetup.com/pfsense-hardware-requirements/
> 
> It is interesting to read.
> 
> Have fun.

If I may offer my $0.02, Fedora on production systems is not a great
idea. We manage well over 2000 servers each in two data centers. The
vast majority (>85%) are CentOS-based because of its relative stability.
The remainder are generally Ubuntu LTS-based, again because of its
relative stability.

Fedora changes every 6 months--sometimes in major ways that are not
necessarily backwards compatible with existing systems. It is very
cumbersome to update 3000+ servers every 6 months and deal with the
compatibility issues that crop up. We have to deal with those when
CentOS or Ubuntu gets a major upgrade (such as CentOS6 -> CentOS7),
but that happens every couple of years and is far more manageable. As
far as security is concerned, any significant security patches are
generally backported to CentOS and Ubuntu and applied when they come
out. The few cases where a patch can't be applied, well, those are
fairly rare and dealt with as what they are...exceptions to the general
rule.

At the network level, our VPNs and core routers are Cisco, our edge
switches are Foundry. We have two 10Gbps uplinks to the Internet so
smaller hardware is not an option. Fortunately, I'm well versed in these
beasties as Cisco IOS isn't a particularly intuitive system.

For a router/VPN gateway in a SOHO environment (even some medium-sized
cases), I'd go along with those who recommended using OpenWRT on
inexpensive router hardware. It is Linux-based and optimized for use on
such devices. It is relatively easy to manage via its web-based GUI and
does its job quite well. Fedora or any full-up Linux system, is (IMHO)
overkill in such cases.

Having said all that, do what you wish.
--
- Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
- AIM/Skype: therps2ICQ: 226437340   Yahoo: origrps2 -
--
- There are only 10 kinds of people in the world -- those who-
- understand binary and those who don't  -
--
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Robin Laing]

On 08/01/2019 17:52, George N. White III wrote:
On Tue, 8 Jan 2019 at 12:10, Alex > wrote:


Hi,
I need a gateway for our new office. I'd like it to run Fedora. What
are my options? I'd like to be able to do the following:

   - provide VPN back to the main office
   - provide basic masquerading of hosts on inside network
   - be small enough to fit on a shelf. Preferably fanless
   - web-based administration
   - ssh access


Have a look at https://www.pcengines.ch/apu2.htm  These offer 2 or 3 
ethernet

ports, small form factor, and fanless.  Fedora is not a good choice for this
role unless you are willing to devote time and effort to testing new 
versions

as they appear.  In that case you would want a couple systems so each new
release could be tested before going into serivice.   Pcengines has centos7
images for apu systems.

We're experienced admins, so a simple interface isn't specifically
necessary, but desired.

It's only for a few remote office workers, so it doesn't have to be
particularly powerful, but should be responsive enough to support
regular ssh and VPN activity.


Avoid USB NIC's.     Have a look at pfSense 


--
George N. White III




Working on this as well.

I have looked at pfSense and I am also looking at OPNsense

https://opnsense.org/   

I have a friend that uses pfsense for a small network at a resort and 
does remote admin when required.  For wireless he uses dedicated access 
points.  IPFire looks interesting but it looks like it wants to be more 
than a firewall/gateway.


https://www.ipfire.org/

The one point my friend mentions is using seperate network ports for the 
various vlans and combine at the firewall.  He prefers this method for 
his network.


I would look at a fanless solution as well.  We have had some Intel 
based units that have been major problems with heat.  Needed to be in 
cool rooms all the time.  Cannot remember the name though.


pfSense has a list of recommended hardware for throughput bandwidth.

http://pfsensesetup.com/pfsense-hardware-requirements/

It is interesting to read.

Have fun.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[John Harris]

On Wednesday, January 9, 2019 3:01:33 PM EST Samuel Sieb wrote:
> If you're suggesting to run Fedora off a USB port, then remember that 
> they also usually only have max 32MB of RAM as well. :-)

32-64 MiB, but that's fine. More than enough. You just can't use one of the 
standard images.

-- 
John M. Harris, Jr. 
Splentity
https://splentity.com/

signature.asc
Description: This is a digitally signed message part.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Samuel Sieb]

On 1/9/19 11:51 AM, John Harris wrote:

On Wednesday, January 9, 2019 2:36:53 PM EST Samuel Sieb wrote:

I use Fedora for desktops, laptops, and servers in various places, but
in this case, Fedora is not suitable to run on a wifi router.  In a lot
of cases, there is only 8MB of flash to store the OS, or if you're
really lucky or willing to pay a lot more, you can get twice that.


While I'm not suggesting the use of Fedora on a stock residential router, most
of these routers also have a USB port.


If you're suggesting to run Fedora off a USB port, then remember that 
they also usually only have max 32MB of RAM as well. :-)



I second the suggestion of using such a device.  It's quiet, low power,
and easy config.  I have considered, but haven't got around to trying to
setup openvpn on one yet, so that's an unknown.  You could find a cheap,
openwrt supported router from a second-hand store to test out before
buying a better one.


I'd highly suggest using Wireguard rather than OpenVPN. I got around to
switching my personal systems the other day, and the benefits are immediately
noticeable. I can push gigabit over my home VPN. :)


I have been running openvpn for many years and my VPN network is 
widespread.  I only heard about Wireguard recently, but it's something I 
should look into.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[John Harris]

On Wednesday, January 9, 2019 2:36:53 PM EST Samuel Sieb wrote: 
> I use Fedora for desktops, laptops, and servers in various places, but 
> in this case, Fedora is not suitable to run on a wifi router.  In a lot 
> of cases, there is only 8MB of flash to store the OS, or if you're 
> really lucky or willing to pay a lot more, you can get twice that.

While I'm not suggesting the use of Fedora on a stock residential router, most 
of these routers also have a USB port.

> I second the suggestion of using such a device.  It's quiet, low power, 
> and easy config.  I have considered, but haven't got around to trying to 
> setup openvpn on one yet, so that's an unknown.  You could find a cheap, 
> openwrt supported router from a second-hand store to test out before 
> buying a better one.

I'd highly suggest using Wireguard rather than OpenVPN. I got around to 
switching my personal systems the other day, and the benefits are immediately 
noticeable. I can push gigabit over my home VPN. :)

-- 
John M. Harris, Jr. 
Splentity
https://splentity.com/

signature.asc
Description: This is a digitally signed message part.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Samuel Sieb]

On 1/9/19 12:19 AM, John Harris wrote:

On Wednesday, January 9, 2019 3:14:25 AM EST Terry Barnaby wrote:

I know you asked for Fedora, but a standard, low cost router, running
OpenWRT, https://openwrt.org/, would likely be better for the tasks you
mention. OpenWRT is a minimal Linux system with the ability to install
extra packages. It has a simple to use WEB admin system and can do all
the things you mention.


I cannot think of any reason not to use ones distro of choice as their gateway
and/or VPN. I personally use a system Fedora (well, Fedora + Freed-ora-
freedom) for my router and VPN. OpenWRT is not inherently better than Fedora,
and there are many benefits of using Fedora over OpenWRT.


I use Fedora for desktops, laptops, and servers in various places, but 
in this case, Fedora is not suitable to run on a wifi router.  In a lot 
of cases, there is only 8MB of flash to store the OS, or if you're 
really lucky or willing to pay a lot more, you can get twice that.


I second the suggestion of using such a device.  It's quiet, low power, 
and easy config.  I have considered, but haven't got around to trying to 
setup openvpn on one yet, so that's an unknown.  You could find a cheap, 
openwrt supported router from a second-hand store to test out before 
buying a better one.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Michael Watters]

Look up Jetway devices.  They're small, fanless, and don't use a lot of
power.


On 1/8/19 11:09 AM, Alex wrote:
> Hi,
> I need a gateway for our new office. I'd like it to run Fedora. What
> are my options? I'd like to be able to do the following:
>
>   - provide VPN back to the main office
>   - provide basic masquerading of hosts on inside network
>   - be small enough to fit on a shelf. Preferably fanless
>   - web-based administration
>   - ssh access
>
> We're experienced admins, so a simple interface isn't specifically
> necessary, but desired.
>
> It's only for a few remote office workers, so it doesn't have to be
> particularly powerful, but should be responsive enough to support
> regular ssh and VPN activity.
>
> Thanks,
> Alex
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Oleg Cherkasov]

On 08.01.2019 17:09, Alex wrote:

Hi,
I need a gateway for our new office. I'd like it to run Fedora. What
are my options? I'd like to be able to do the following:

   - provide VPN back to the main office
   - provide basic masquerading of hosts on inside network
   - be small enough to fit on a shelf. Preferably fanless
   - web-based administration
   - ssh access

We're experienced admins, so a simple interface isn't specifically
necessary, but desired.

It's only for a few remote office workers, so it doesn't have to be
particularly powerful, but should be responsive enough to support
regular ssh and VPN activity.



I had been using https://www.ipfire.org/ in a past and later switched to 
pfSense so I would really recommend IPFire if you want to have full 
control on firewall on low level and simple decent setup/conf interface 
as well.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[John Harris]

On Wednesday, January 9, 2019 9:05:56 AM EST Chris Adams wrote:
> It's the difference between using a multitool and a purpose-built tool.
> Sure, your Leatherman or Gerber can strip wires and screw in a switch,
> but a good pair of wire strippers and assorted size screwdrivers will
> usually be more convenient (and quicker) to use.

I cannot think of a more dishonest comparison. A multitool cannot be easily 
reconfigured to meet a given purpose. A multitool could not be made to be as 
ergonomic and efficient of a screwdriver as a real screwdriver, for example. 
With Fedora, you can configure the system to be anything you could ever need.

> OpenWrt is a light-weight system designed for router setups.  It has an
> integrated web UI (for those that want it) that can configure and
> monitor traffic, and all configuration normally needed is in a small set
> of config files in one directory and in a common format (makes
> management much easier for occasional edits).

Sure, and if you're alright with throwing up something in a system you're 
unfamiliar with, or you don't have time to properly manage yet another system, 
maybe it's a good idea.

> There are things that OpenWrt does easily that Fedora doesn't do at all;
> for example, the web UI on OpenWrt includes real-time traffic graphs.  I
> don't know of anything that can provide that in Fedora.

There are several packages that you could install to show you real-time 
statistics of your system's network interfaces (including virtual interfaces). 
Cockpit is one which the Fedora Server folks put in their default image.

> Also, OpenWrt uses much less resources than any general-purpose OS
> install, so costs less.

This isn't necessarily true. It would depend heavily on what you install, and 
how you configure it. Out of box? Sure.

-- 
John M. Harris, Jr. 
Splentity
https://splentity.com/

signature.asc
Description: This is a digitally signed message part.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Chris Adams]

Once upon a time, John Harris  said:
> I cannot think of any reason not to use ones distro of choice as their 
> gateway 
> and/or VPN. I personally use a system Fedora (well, Fedora + Freed-ora-
> freedom) for my router and VPN. OpenWRT is not inherently better than Fedora, 
> and there are many benefits of using Fedora over OpenWRT.

It's the difference between using a multitool and a purpose-built tool.
Sure, your Leatherman or Gerber can strip wires and screw in a switch,
but a good pair of wire strippers and assorted size screwdrivers will
usually be more convenient (and quicker) to use.

OpenWrt is a light-weight system designed for router setups.  It has an
integrated web UI (for those that want it) that can configure and
monitor traffic, and all configuration normally needed is in a small set
of config files in one directory and in a common format (makes
management much easier for occasional edits).

There are things that OpenWrt does easily that Fedora doesn't do at all;
for example, the web UI on OpenWrt includes real-time traffic graphs.  I
don't know of anything that can provide that in Fedora.

Also, OpenWrt uses much less resources than any general-purpose OS
install, so costs less.
-- 
Chris Adams 
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Chris Adams]

Once upon a time, Samuel Sieb  said:
> On 1/8/19 11:15 AM, Chris Adams wrote:
> >Once upon a time, Tom Horsley  said:
> >>Intel sells boxes they call NUCs.
> >
> >NUC only has one ethernet port built-in, although newer models also have
> >a Thunderbolt port, which should drive a decent speed network.
> 
> The servers I run usually only have 1 Ethernet port.  I use a
> managed switch with vlan support to provide as many ports as I need.

That's fine for servers, but would add significant cost and additional
management and bandwidth overhead for a router.  I have gigabit Internet
service; hairpinning all the traffic through a single port turns a
full-duplex service into half-duplex.

-- 
Chris Adams 
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[John Harris]

On Wednesday, January 9, 2019 7:48:24 AM EST wwp wrote:
> True, but you may also fail at upgrading (see the users ML) and it
> means possibly fail every 6 months ;-). You cannot be serious in
> recommending Fedora for a server in production, just because it has
> up-to-date software without mentioning that it would bring fresh fixes,
> yes, but also fresh bugs. And that's not what I'd recommend to
> handle a server in production, unless you are both the user and the
> admin and it's your own home/office and your responsibility only
> involves you and no real cost if something goes wrong. Or, unless your
> hardware requires kernel (and more) support that is only found in
> Fedora, which is another important detail (for instance, you might fail
> w/ CentOS7 or Redhat7 on fresh hardware).

I would definitely suggest Fedora for production servers, but this is another 
conversation entirely. I'd be happy to discuss this with you in a separate 
thread.

-- 
John M. Harris, Jr. 
Splentity
https://splentity.com/

signature.asc
Description: This is a digitally signed message part.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[wwp]

Hello,


On Wed, 09 Jan 2019 07:37:53 -0500 John Harris  wrote:

[snip]
> > 4. Fedora's aggressive new "feature" release cycle is painful for such 
> > low level infrastructure.  
> 
> Nope. Fedora has releases about every 6 months. This means your systems will 
> just about always have the latest and greatest stable code.
[snip]

True, but you may also fail at upgrading (see the users ML) and it
means possibly fail every 6 months ;-). You cannot be serious in
recommending Fedora for a server in production, just because it has
up-to-date software without mentioning that it would bring fresh fixes,
yes, but also fresh bugs. And that's not what I'd recommend to
handle a server in production, unless you are both the user and the
admin and it's your own home/office and your responsibility only
involves you and no real cost if something goes wrong. Or, unless your
hardware requires kernel (and more) support that is only found in
Fedora, which is another important detail (for instance, you might fail
w/ CentOS7 or Redhat7 on fresh hardware).


Regards,

-- 
wwp


pgprjH3NLfti1.pgp
Description: OpenPGP digital signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[John Harris]

On Wednesday, January 9, 2019 4:33:25 AM EST Terry Barnaby wrote:
> 1. Fedora is big and bloated for small/low powered hardware that can be 
> used for this task and low energy usage is important in my opinion for 
> 24/7 systems.

I've successfully run Fedora (certainly not the images published, but still 
Fedora) on embedded devices without issue. Additionally, using Fedora doesn't 
inherently make your system use more energy than it otherwise would.

> 2. Fedora is complex for such a task.

Not really. It's more complex, because of your point 3, but not by a lot. It 
also has a lot of flexibility in comparison to things like OpenWRT.

> 3. Fedora hasn't a simple web interface to manage the particular 
> functionality that a simple router like device needs.

Sure.

> 4. Fedora's aggressive new "feature" release cycle is painful for such 
> low level infrastructure.

Nope. Fedora has releases about every 6 months. This means your systems will 
just about always have the latest and greatest stable code.

> 5. Other Linux systems have been designed to easily install on small 
> router like hardware easily and be easily used. As long as it is 
> OpenSource and Linux most of someone's knowledge of Fedora will be 
> applicable.

Fedora, as with many other GNU/Linux systems, is a general purpose operating 
system. As I said earlier, you can certainly install it on embedded devices 
such as routers. I'd be careful doing so, however, and look into the 
peripherals and their support in mainline before doing so. It is possible that 
you'll have to run Fedora from a custom kernel.

Little of ones knowledge of Fedora is really relevant to Linux.

-- 
John M. Harris, Jr. 
Splentity
https://splentity.com/

signature.asc
Description: This is a digitally signed message part.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Terry Barnaby]

On 09/01/2019 08:19, John Harris wrote:

On Wednesday, January 9, 2019 3:14:25 AM EST Terry Barnaby wrote:

I know you asked for Fedora, but a standard, low cost router, running
OpenWRT, https://openwrt.org/, would likely be better for the tasks you
mention. OpenWRT is a minimal Linux system with the ability to install
extra packages. It has a simple to use WEB admin system and can do all
the things you mention.

I cannot think of any reason not to use ones distro of choice as their gateway
and/or VPN. I personally use a system Fedora (well, Fedora + Freed-ora-
freedom) for my router and VPN. OpenWRT is not inherently better than Fedora,
and there are many benefits of using Fedora over OpenWRT.

I agree there are pros in using a system you know and use on as many 
things as possible. I use Fedora on multiple servers, workstation, 
webservers, backup servers etc. However there are a few cons in use 
Fedora for such tasks, my particular cons for this task are:


1. Fedora is big and bloated for small/low powered hardware that can be 
used for this task and low energy usage is important in my opinion for 
24/7 systems.


2. Fedora is complex for such a task.

3. Fedora hasn't a simple web interface to manage the particular 
functionality that a simple router like device needs.


4. Fedora's aggressive new "feature" release cycle is painful for such 
low level infrastructure.


5. Other Linux systems have been designed to easily install on small 
router like hardware easily and be easily used. As long as it is 
OpenSource and Linux most of someone's knowledge of Fedora will be 
applicable.


Terry
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[John Harris]

On Wednesday, January 9, 2019 3:14:25 AM EST Terry Barnaby wrote:
> I know you asked for Fedora, but a standard, low cost router, running 
> OpenWRT, https://openwrt.org/, would likely be better for the tasks you 
> mention. OpenWRT is a minimal Linux system with the ability to install 
> extra packages. It has a simple to use WEB admin system and can do all 
> the things you mention.

I cannot think of any reason not to use ones distro of choice as their gateway 
and/or VPN. I personally use a system Fedora (well, Fedora + Freed-ora-
freedom) for my router and VPN. OpenWRT is not inherently better than Fedora, 
and there are many benefits of using Fedora over OpenWRT.

-- 
John M. Harris, Jr. 
Splentity
https://splentity.com/

signature.asc
Description: This is a digitally signed message part.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Terry Barnaby]

I know you asked for Fedora, but a standard, low cost router, running 
OpenWRT, https://openwrt.org/, would likely be better for the tasks you 
mention. OpenWRT is a minimal Linux system with the ability to install 
extra packages. It has a simple to use WEB admin system and can do all 
the things you mention.


I use cheap (£20 second hand on ebay) TP-Link TL-WDR3600 v1 routers and 
OpenWRT 18.06 at work and home. This particular router has 5 x 1Gbit 
Ethernet ports, Wifi (2.4 and 5GHz), 2 USB ports and has efficient use 
of power. Can connect to cable/FTTP/FTTC "modems" if needed etc. There 
are many other hardware platforms that would work with OpenWRT but this 
one works well and has a good amount of FLASH/RAM.


Terry

On 08/01/2019 16:09, Alex wrote:

Hi,
I need a gateway for our new office. I'd like it to run Fedora. What
are my options? I'd like to be able to do the following:

   - provide VPN back to the main office
   - provide basic masquerading of hosts on inside network
   - be small enough to fit on a shelf. Preferably fanless
   - web-based administration
   - ssh access

We're experienced admins, so a simple interface isn't specifically
necessary, but desired.

It's only for a few remote office workers, so it doesn't have to be
particularly powerful, but should be responsive enough to support
regular ssh and VPN activity.

Thanks,
Alex
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Samuel Sieb]

On 1/8/19 11:15 AM, Chris Adams wrote:

Once upon a time, Tom Horsley  said:

Intel sells boxes they call NUCs.


NUC only has one ethernet port built-in, although newer models also have
a Thunderbolt port, which should drive a decent speed network.


The servers I run usually only have 1 Ethernet port.  I use a managed 
switch with vlan support to provide as many ports as I need.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Samuel Sieb]

On 1/8/19 4:52 PM, George N. White III wrote:
Avoid USB NIC's.     Have a look at pfSense 


What is wrong with USB network devices?  The USB3 ones can even do 
Gigabit and they work well.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[George N. White III]

On Tue, 8 Jan 2019 at 12:10, Alex  wrote:

> Hi,
> I need a gateway for our new office. I'd like it to run Fedora. What
> are my options? I'd like to be able to do the following:
>
>   - provide VPN back to the main office
>   - provide basic masquerading of hosts on inside network
>   - be small enough to fit on a shelf. Preferably fanless
>   - web-based administration
>   - ssh access
>
>
Have a look at https://www.pcengines.ch/apu2.htm  These offer 2 or 3
ethernet
ports, small form factor, and fanless.  Fedora is not a good choice for this
role unless you are willing to devote time and effort to testing new
versions
as they appear.  In that case you would want a couple systems so each new
release could be tested before going into serivice.   Pcengines has centos7
images for apu systems.


> We're experienced admins, so a simple interface isn't specifically
> necessary, but desired.
>
> It's only for a few remote office workers, so it doesn't have to be
> particularly powerful, but should be responsive enough to support
> regular ssh and VPN activity.
>

Avoid USB NIC's. Have a look at pfSense


-- 
George N. White III
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Chris Adams]

Once upon a time, Terry Polzin  said:
> Raspberry PI

PIs make terrible routers since the only NIC is on the USB2 bus (and so
would any additional NIC).

I don't get the fascination with PIs - they're cheap, but they are not a
good solution to a great many things people try to use them for.

-- 
Chris Adams 
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Chris Adams]

Once upon a time, Tom Horsley  said:
> Intel sells boxes they call NUCs.

NUC only has one ethernet port built-in, although newer models also have
a Thunderbolt port, which should drive a decent speed network.

A strike against the NUC is that Intel basically requires Windows from
some types of firmware updates.  BIOS can be updated from a function
key, but the HDMI port (on the NUC7 anyway) is internall a DisplayPort
interface run through an active DP->HDMI adapter.  Upgrading the
firmware on that adapter can only be done in Windows.  IIRC the
Thunderbolt firmware can also only be upgraded in Windows (and both of
those upgrades have been necessary to get systems working).

Also, I have a NUC7 (1.5 years old) on RMA right now - made a BIOS
setting change to disable SecureBoot and enable legacy-style boot, and
it killed the box... not too impressed with that.

-- 
Chris Adams 
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Terry Polzin]

Raspberry PI

On Tue, Jan 8, 2019 at 12:44 PM Tom Horsley  wrote:

> Intel sells boxes they call NUCs. I'm running fedora on
> one at home seems to work fine (as a media PC). Asus
> makes similar sized bookshelf systems. A lot of them
> come with Windows forced down your throat, I got a
> NUC without memory or disk and added my own.
>
> Lookup mini PC on amazon for a vast selection.
>
> I'd think centos would be better for a server-like system
> since it has a longer lifespan, fedora goes out of date
> really fast.
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Smallest Fedora box to use as gateway/firewall/VPN

[Tom Horsley]

Intel sells boxes they call NUCs. I'm running fedora on
one at home seems to work fine (as a media PC). Asus
makes similar sized bookshelf systems. A lot of them
come with Windows forced down your throat, I got a
NUC without memory or disk and added my own.

Lookup mini PC on amazon for a vast selection.

I'd think centos would be better for a server-like system
since it has a longer lifespan, fedora goes out of date
really fast.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org