Snoopers charter and the imposition of totalitarian states / Linux edge router

wrapper

re : Snoopers charter and the imposition of totalitarian states / cheap Router / firewall / OpenVPN

I have been looking for a cheap home option to run a firewall / router, between the isp router and my Lan. Mostly for fun, but also to monitor network traffic more closley, preventable router being weak link of network security and have better edge firewall than the home router.

I was looking for a low power atom, or such, to have my own Linux or BSD system , like pfsense. This solution hasn’t come down to a low enough price so I’ve decided to buy this Linux Mips box with OpenWrt. I’ll do a review, but a Linux box at £20 - £30 and < 2 Watts, seems cool.

GL-AR300M mini router, 300Mbps WiFi, OpenWrt, Repeater, OpenVPN, 128M RAM, 128M Nand Falsh
https://www.amazon.co.uk/d/Computers-Accessories/AR300M-router-300Mbps-OpenWrt-Repeater-OpenVPN-Falsh/B01I92T754/ref=pd_bxgy_147_img_3?_encoding=UTF8&psc=1&refRID=BCND9HRGR1XKZKFBEV4F

https://github.com/wrapperband/TrackMeNot2

wrapper

@wrapper : Review of GL-AR300M mini router

The reason for having an edge router is to isolate the home network from the ISP’s router. There being various trust issues with that ISP supplied routers and known compromises that might end up on your network.

For instance, even though I was sure I’d set “remote access” to off on the ISP router, I found remote access had been reset to “on”.

In addition, there are many other potential zero days in the old operating systems most routers run, even the AR300M’s version (compiled in Jan 2017) OpenWrt was using a 3.18.27 Linux kernel.

The router has 4 modes, Edge (cable), Repeater, 3G and Tethering.

Choosing Cable, the system did set it’s self up on separate WLan and Lan so the box acts as a bridge so the traffic can be monitored.

The Lan was now on 192.168.8.x which caused a problem with a NAS with a static IP of 192.168.1.12 not appearing on the network.

Also, it can be disconcerting, when you’re not a network expert and your changing the IP you’re using to access the box!

The router was very powerful (!) compared to other routers 125 MB is more than twice what you might expect in a Mips device. OpenWrt was set up and worked well, I was able to ssh in and update the software from GLis package store, add new software (mc, htop, nmap etc) and add “collectd” statistical plugins, like ping and uptime.

root@GL-AR300M:~# cat /proc/cpuinfo
system type             : Qualcomm Atheros QCA9533 ver 2 rev 0
machine                 : GL-AR300M
processor               : 0
cpu model               : MIPS 24Kc V7.4
BogoMIPS                : 432.53
wait instruction        : yes
microsecond timers      : yes  
tlb_entries             : 16  
extra interrupt vector  : yes  
hardware watchpoint     : yes, count: 4,   
isa                     : mips1 mips2 mips32r1 mips32r2  
ASEs implemented        : mips16  

Memory is limited for graphs and is lost if the unit is rebooted so it is possible to dump data off the system to a long term storage server.

So far the GL-AR300M router has acted flawlessly and monitoring shows that the cheaper (£20) 60MB models would have performed the current tasks on our home network.

I noted one effect of isolating the network was a reduction of the number of firewall intrusion attempt warnings on the main router. This was not something I was expecting to see and must mean the ISP router was somehow identifying it was on (?)

For the extra security and monitoring ability I see the box as replacing a “server / router” so would put up with some addition maintenance.

Conclusion :

The GL-AR300M router unit seemed to act stable for the short test time and load. I found it a powerful and easy to use unit, certainly less daunting than replacing the ISPs router.

Down side were it did take a bit of extra network knowledge to set it up and I did not test some of it’s features such as the VPN functionality.