Anyone have some insight on a good dual stack Linux (or BSD) router distro? Currently using IPCop but it lacks ipv6 support. I've used SmoothWall Express but not in some time and not sure how well it works with IPv6. Not looking for something huge, just something for the equivalent of a small branch office. Site to Site VPN support and NAT translation capability for a few public IP addresses to private addresses are the only requirements. Public or private responses are welcome!
Anyone have some insight on a good dual stack Linux (or BSD) router distro?
Currently using IPCop but it lacks ipv6 >support. I've used SmoothWall
Express but not in some time and not sure how well it works with IPv6. Not
looking for >something huge, just something for the equivalent of a small
branch office. Site to Site VPN support and NAT >translation capability for
a few public IP addresses to private addresses are the only requirements.
Public or private >responses are welcome!
Not sure if they support IPV6 or not, but Imagestream makes Linux based
routers, and everyone I've ever talked to that owns one has nothing bad to
say about them.
Mikrotik RouterOS. It is based on Linux and a bit more feature-rich
than some of the linux router distros I've tried such as IPCop.
Licenses costs a few bucks but its worth it IMHO.
I'm not sure if the GUI is a requirement, but I'm a huge fan of Shorewall.
It has support for both v4 and v6 along along with the usual router
requirements. Since it's just a linux box with a few iptables rules, you
can easily load openvpn, ipsec, quagga, etc...
It's all text files and a 'shorewall start|stop|check' script.
If you want something with a GUI, pfSense is your best bet, or you could
use something like fwbuilder to build your iptables rules.
I actually spaced about vyatta when I wrote this email. I have since been forcefully reminded. About 30 times In the process of testing it, however my main concern is some of the complexity of the config options. The GUI is a welcome addition since 4, however I still find it a bit lacking. I may go the vyatta route anyway based only on my sheer curiosity and future possible needs.
pfSense has ipv6, since it's essentially just a freebsd kernel with a
layer on top. However, ipv6 support in the GUI is fairly minimal to
non-existant, and I wouldn't recommend it if you really want to use
ipv6.
Mind you, I'm a fan of pfSense, it's just too bad it's not
ipv6-friendly
Lots of people roll FreeBSD with Quagga/pf/ipfw for dual stack. See
the freebsd-isp list.
FreeBSD's network stack chokes up in DDoS attacks due to interrupt
flooding. We used to use FreeBSD for firewalling and basic routing, but
when noticing that we had horizontal scalability (e.g. a Celeron 667mhz
performed nearly as well as a dual dual-core Xeon system when DDoS
attacks happened), we switched to Vyatta, and generally have not looked
back.
FreeBSD's network stack chokes up in DDoS attacks due to interrupt
flooding. We used to use FreeBSD for firewalling and basic routing, but
when noticing that we had horizontal scalability (e.g. a Celeron 667mhz
performed nearly as well as a dual dual-core Xeon system when DDoS
attacks happened), we switched to Vyatta, and generally have not looked
back.
William
Which version of FreeBSD and how much traffic/pps?
I believe that there has been significant improvements to the networking
stack in recent versions of FreeBSD, plus there are also a lot of sysctl
tunables which can significantly improve networking performance. I have
a hard time believing that the networking performance of recent versions
of FreeBSD would not be competitive in comparison to other unixes.
I was wondering what kind of experience the nanog userbase has had with these two packages.
Quagga++.
I've never tried the other.
I use Quagga for OSPF, OSPFv3 and BGP (IPv4 and IPv6). With a bit of
trickery, it fits in nicely with my RANCID setup, and what I like best
is that it (mostly) follows Cisco's command convention.
There are also very active developer and user mailing lists.
For the most part, I wouldn't know if I was writing a config for a Cisco
or for a Quagga box.
fwiw, I've also heard good things about bgpd(8) and ospfd(8), but I
haven't tried those either...zebra/Quagga just stuck.
Has quite a few talk about Quagga/Bird as they are used as route servers in Europe.
For a route server use, BGP under very high number of peers, it seems bird now behave better than anything else.
so for "normal" use, it would seems that whatever you pick will work but quagga is surely the most deployed.
OpenBGPd would be great for a public route server at an IX.
It's not so great for use in a network unless you run it on OpenBSD - FreeBSD has no metric attribute in it's routing tables, so next-hop IGP metric cannot be compared as the two daemons do not communicate directly at all.
If you're on anything other than OpenBSD, I recommend Quagga. I can't comment on BIRD as I have no experience with it yet.
XORP is also interesting, it's a more JunOS like interface. It's also some quite heavy C++, so running it on the tiny Soekris boxes that I had meant it wouldn't work for me. If you can spare the CPU and RAM then give XORP a go.
Quagga does not really behave well with lots of peers (lots >> 200), but
there will be an optimized route server version soon.
This was discussed today at Linx 68. Linx is very pleased with Bird - they could not get Quagga working due to load issues.
With large numbers of peers, the update processing can cause the program to hit his peer HoldTime Timer (with a domino's effect as well).
EuroIX is sponsoring some work on Quagga to get the KeepAlive management moved into a separate Thread.
During the discussion, a developers of Bird said that their filtering code _may_ still have bugs (when performing community based filtering).
In the process of testing it, however my main concern is some of the complexity of the config options. The GUI is a welcome addition since 4, however I still find it a bit lacking. I may go the vyatta route anyway based only on my sheer curiosity and future possible needs.