Low end, cool CPE.

I've run into a number of low end CPE situations lately where I
haven't found anything that does what I want, but I have to believe
it is out there. I'm hoping NANOG can help.

Basically think about a sophisticated home user, or a 1-5 person
small office. Think DSL, Cable Modem, maybe Cell Card or ISDN as
backups. Looking for an "appliance", very much fire and forget. I
probably won't get all the features that I want, but in no particular
order:

- Able to load balance over 2 links (probably via NAT).
- IPv6 support, native or tunnel to tunnelbroker.net type thing.
- Able to deal with "backup" connectivity, eg. Cell Cards which you
  only want to use if the primary is down.
- User friendly features, e.g. UPNP, NAT-PMP, etc.
- Good manageability. ssh to a cli would be a huge bonus, at least
  the ability to backup a config.
- Able to handle decent througput, probably 20Mbps/sec min, 50 would
  be nice.
_ Nice firewall features.
- IDS features are cool.

WiFi is not strictly required, but would be cool. Things like "guest"
WiFi would be an added bonus.

Something a NANOGer might want at home would be a good baseline.
I realize the exact product may differ depending on DSL/Cable/Cell/ISDN,
that's ok, let's get some various good solutions going here.

What is the state of the art, and who has it?

ClearOS appliance.
http://www.clearcenter.com/ClearBOX-Overview/clearbox-overview.html
multi-wan, snort IDS, reporting, all built in. Manageable via the web
interface, or ssh (it's linux after all)

I've been pretty happy with the Astaro firewall product - It's basically a Linux system with a nice web-based interface for management. Either get their appliance, or throw it on a x86 box. Only thing out of your wish list I've really had a problem with is lack of IPv6 support.

They have a free home version that I've got all sorts of weird stuff running through on a cable modem without any problems.

www.astaro.com

David

Try the Linksys RV016. We're using this to load balance three
satellite uplinks in Afghanistan, 2 Mbps each, but it will supposedly
handle much higher.

Best regards, Jeff

And does this take cellular modems as a backup? The only wifi AP I've
seen that would take SIM cards besides ethernet was a no-name chinese
brand I saw in a Hong Kong electronics store.

Last time I looked into this, the small Fortinet boxes and the Juniper NetScreen-5 or -25 were in this class. Juniper now has the SSG to replace the small NetScreen devices.

I'm using a Fortinet box to do many of the things on your list, including IPv6 support, at home.

Matthew Kaufman

And I forgot to mention an even more relevant operational note... quite a few of these boxes can support quite a few more security zones (or profiles or whatever they call them) than they have ports. Consider VLAN-trunking one of these into a low-end VLAN-capable switch as a port expander.

Matthew Kaufman

The Vigor2820 series of WiFi AP/Router/ADSL boxes will take a USB 3G modem stick. They will probably also do the necessary for the OP, although v6 is experimental I believe.

Solwise have some HomeAV devices that will take USB 3G dongles.

  f

I'd take a peak at Juniper's branch model SRX line. Something like the
SRX210 has a mini-PIM slot that can take a DOCSIS hand-off.

Can't speak to pricing, however, but they're great little boxes.

Adam

DD-WRT supported hardware may be a start...

As well as an expresscard slot for a wireless modem..

I'm very happy with my SRX-100, but, I wouldn't call it particularly low-end at $600.

Owen

I have sort of recently gone from a little netscreen 5 to a mikrotik rb750g.
Happily running for about 4 months. Way more of a power user or net admin
than consumer oriented device. Fast though, loads faster than the netscreen

I've run into a number of low end CPE situations lately where I
haven't found anything that does what I want, but I have to believe
it is out there. I'm hoping NANOG can help.

<snip>

What is the state of the art, and who has it?

<shameless plug>

Have a look at http://labs.ripe.net/Members/mirjam/ipv6-cpe-surveys/ if you want some pointers on IPv6 support. As always feedback is more than welcome, I'll try and publish a new one in a few weeks.

</shameless plug>

Frank Bulk maintains something similiair on the arin wiki at http://www.getipv6.info/index.php/Broadband_CPE

MarcoH

I've run into a number of low end CPE situations lately where I
haven't found anything that does what I want, but I have to believe
it is out there. I'm hoping NANOG can help.

An ALIX with pfSense 2.0 (BETA4 at the moment) would fit most
of the above. IPv6 support is coming (is mostly there in the
kernel, but interface only alpha).

If you want to run the snort package I'd however pick a
Supermicro Atom system with 2 onboard NICs and add a dual-port
Intel NIC, and run pfSense from a small SSD or an USB stick.
Albeit a rackmount, the system would be quiet enough for SOHO.

There are multiple recommended hardware vendors
http://www.pfsense.org/index.php?option=com_content&task=view&id=44&Itemid=50
and also commercial support
http://www.pfsense.org/index.php?option=com_content&task=view&id=62&Itemid=73

Basically think about a sophisticated home user, or a 1-5 person
small office. Think DSL, Cable Modem, maybe Cell Card or ISDN as
backups. Looking for an "appliance", very much fire and forget. I
probably won't get all the features that I want, but in no particular
order:

- Able to load balance over 2 links (probably via NAT).

Check.

- IPv6 support, native or tunnel to tunnelbroker.net type thing.

Requires hacking at the moment, but is coming fast.

- Able to deal with "backup" connectivity, eg. Cell Cards which you
  only want to use if the primary is down.
- User friendly features, e.g. UPNP, NAT-PMP, etc.
- Good manageability. ssh to a cli would be a huge bonus, at least
  the ability to backup a config.

Very well supported. http(s) and ssh both.

- Able to handle decent througput, probably 20Mbps/sec min, 50 would
  be nice.

ALIX does about 70 MBit/s, an dual-core Atom can probably handle 500 MBit/s.

_ Nice firewall features.
- IDS features are cool.

WiFi is not strictly required, but would be cool. Things like "guest"
WiFi would be an added bonus.

Something a NANOGer might want at home would be a good baseline.
I realize the exact product may differ depending on DSL/Cable/Cell/ISDN,
that's ok, let's get some various good solutions going here.

What is the state of the art, and who has it?

I run pfSense both at home (6/100 MBit/s DOCSIS 3.0 cable modem)
and in the colo (GBit Ethernet, failover cluster). Very happy.

Leo Bicknell <bicknell@ufp.org> writes:

- IPv6 support, native or tunnel to tunnelbroker.net type thing.

This is far too diffuse. You'll get a "yes, we've got IPv6".

You should at least add
- IPv6 packet filtering and policy management (at least simple access
   lists)
- DHCPv6-PD client running over PPP or ethernet (possibly bridged DSL)
   WAN interface(s)
- Ability to split the delegated prefix into a /64 for every LAN and
   loopback interface, preferably fully configurable
- Configurable RA on LAN interfaces, using the dynamically allocated
   prefixes
- (wishlist) configurable ifid's on the LAN and loopback interfaces as
   an alternative to using EUI-64
- WAN link addressing using whatever is available of SLAAC, DHCPv6
   IA_NA or link local. Specifically: Using SLAAC for the WAN link
   should be possible without sacrificing any router functionality on
   the CPE.

and probably a lot more. DNS resolver handling needs a chapter on it's
own....

The point is: We've been asking for "IPv6" for too long. That's just
one bit in a packet header. We need to start asking for the features we
expect, which is a lot more than that bit.

Bjørn

For IPv6 CPE requirements, you might want to look at http://tools.ietf.org/html/draft-ietf-v6ops-ipv6-cpe-router-07 and comment on the IETF v6ops list.

Tim

Mikrotik RB750G here with RouterOS 5.0RC3

Since I'm on a cable modem with Port 25 blocked and I want an SMTP server at home, I'm now using the Router to additionally set-up an L2TP tunnel into PortableIP.com, grab a fixed IP over there, use this as my MX and DST-NAT into an SMTP server at home.

Also I'm SRC-NATting out everything to the cable modem, but the SMTP traffic back out the L2TP interface.

All of this on a $70 box, with a very fast CPU, and 5 GigE ports.

F.

All of this on a $70 box, with a very fast CPU, and 5 GigE ports.

Currently playing with a little ADSL box made by Gennet (Athens, Greece). They have a beta which includes v6 support. Still some work to do but it looks very promising and the basics work (PPP dual stack, dhcpv6 PD, DNS). Firewall is under development and they have a nasty bug in the wlan driver which needs fixing so it's supports v6.

http://broadband.gennetsa.com/oxygen_router.html

Groet,

MarcoH

I've run into a number of low end CPE situations lately where I haven't
found anything that does what I want, but I have to believe it is out
there. I'm hoping NANOG can help.

Basically think about a sophisticated home user, or a 1-5 person small
office. Think DSL, Cable Modem, maybe Cell Card or ISDN as backups.
Looking for an "appliance", very much fire and forget. I probably won't
get all the features that I want, but in no particular
order:

- Able to load balance over 2 links (probably via NAT).
- IPv6 support, native or tunnel to tunnelbroker.net type thing.
- Able to deal with "backup" connectivity, eg. Cell Cards which you
  only want to use if the primary is down.
- User friendly features, e.g. UPNP, NAT-PMP, etc.
- Good manageability. ssh to a cli would be a huge bonus, at least
  the ability to backup a config.
- Able to handle decent througput, probably 20Mbps/sec min, 50 would
  be nice.
_ Nice firewall features.
- IDS features are cool.

I've been very happy with Peplink's Balance line (have a couple of
380's)

-Keith