[Discuss] laptop as router

[smallm at SDF.ORG (Mike Small)]

On Fri, Nov 06, 2015 at 10:31:32AM -0500, John Hall wrote:
> ?I do not use BSD. I'm assuming though that firewall rules and abilities
> are similar to Linux.

The different BSDs use a couple different firewall components. The BSD I
like, OpenBSD, has pf, which has better configuration syntax than
iptables. This isn't a preference thing but an objective fact from
what I can tell. If anyone's used both pf and iptables and prefers
iptables's syntax tell me I'm wrong. I've never compared the list
of features of each but pf has everything I need. It's a stateful
firewall that can do NAT. It also supports load balancing, failover
and other advanced features, but I have no use for those. The only
criticism I've heard is that it, combined with the OpenBSD's network
stack, doesn't make use of multiple CPUs very well (or at all?).
The line used to be that SMP wasn't that applicable here and that
their single threaded design did as well or better.  However there
are mailing list messages and developer interviews lately suggesting
making use of parallelism might be in the cards in the future.
FreeBSD has a fork of pf that uses SMP. But it doesn't take up
recent improvements to pf so that's a mixed blessing. But for me
performance isn't an issue either so that's all FYI for those
curious about BSD.

> 
> *Free solution: *Configure the older laptop with firewall rules to share
> wired internet through NAT via your wireless network, and use fairly
> paranoid port rules on the wired connection. Configure the wireless adapter
> as access point and run dhcpd to assign IP addresses on the wireless
> network.
> 
> Do not forget the connectivity needs of your smart phone! save data charges
> and battery power!

I don't have a smartphone yet. Depending on what's available, it's
possible I'll get one with this move as part of my plan to avoid
Comcast and Verizon. It seems you can't tether internet with an LG
LX370 and Sprint. Yet it sounds like tethering for your main internet
isn't without difficulty: I'm seeing reports of it overheating phones,
of driver difficulties, or Windows/OS X software being required initialize
or authenticate.

Maybe I'll end up using dialup.  Some recommend it as a good option
for similar reasons to those of people who choose not to own tvs.
(I think Joey Hess of Debian has similar thoughts though I can't
find the relevant blog entry now.) Is there still such a thing as
a CLEC? Is it possible I could land in an apartment where I can't
even get a landline for dialup without supporting Comcast or Verizon?

> Making an internet sharing deal with a neighbor and NAT from wireless to
> wired (reversed) might be possible and it might be something you can barter
> since you are good at networking and computer stuff. Just a thought.

That would be cool. I don't usually talk to my neighbours but maybe I
should.

> Ned, in terms of using a router/firewall distribution, I think if the
> hardware is dedicated as a router this is a great solution but if you are
> using it as a laptop too  I'm not sure. Would you visualize the router OS
> or the user OS in this case? Either way it seems firewall rules and service
> configuration are going to be more complex not less and prehaps it's just a
> matter of installing the right packages if you want an http /graphic
> control panels.

I was going to respond to Ned but I deleted his email before I thought
of it.  I can see how pfsense or the like might be good but it
doesn't appeal to me. I want a general purpose os and OpenBSD in
particular. If there's knowledge I ought to be outsourcing to the
creators of these productized special purpose distros I'm willing to
risk it for the benefit of learning these things myself. Besides OpenBSD
has the much vaunted "only 2 remote holes in the default install in 20
years" thing. Not that I couldn't screw up the default install to where
it's insecure but whatever we're not fort knox here.  I doubt the
computers "out there" with my information can be counted on either.

Probably I'll blend use of this as a router and general purpose
computer.  Okay, bad in the defense in depth department, but it
seems silly to boot up a second machine just to connect to sdf or
to check the weather forecast.  Maybe I'll think about what should
and shouldn't be on or done on the router laptop, e.g. only do my
banking and keep my passwords on the 2nd, private network machine.
One benefit maybe of using my router this way should in theory be that
I'll more likely notice weird things happening on it than I would
were I not connected to it directly. In a professional environment
that would be what logging and network monitoring would be for but
realistically I'm not going to make that kind of effort on my home
network.

> 
> *A second hand router will be a better investment  and much
> less awkward than a USB Ethernet dongle, that said, I've
> seen Ethernet dongles with an integrated USB hub and that seems like a more
> useful purchase overall, if you can find one that people
> have working normally with your selected OS.*

I just saw an FSF announcement about member discounts at Think Penguin.
They have a wireless router running a blob free GNU/Linux distro called
LibreCMC. That might be a sensible option if I start feeling sensible
sometime. Only trouble is, though the drivers must be all free
software to be approved by the FSF, they may not be ported to the
BSDs. So it might not be a machine that's actually good to run
OpenBSD on unless I can teach myself to port network drivers.


(I hope you don't mind me taking this back to the list.)