[124505] in North American Network Operators' Group
Re: Home CPE choice
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Apr 1 12:31:54 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <l2l2eb352881003311623p57a3c54fi4f39820a5b6bc6a5@mail.gmail.com>
Date: Wed, 31 Mar 2010 23:00:22 -0700
To: Iain Morris <iain.t.morris@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Yeah, the one unfortunate ting in the J-series and SRX-series is that =
after 9.6
you have to put in a whole bunch of config to turn it back into a =
router.
JunOS on these "services" routers now wants to behave like a netscreen
until bludgeoned otherwise. The way to achieve this is not intuitively
obvious, especially the forwarding-options mpls (which affects inet,
not just mpls) and the flow stuff.
Owen
Here's a useful template for those that care:
security {
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
bgp;
ospf;
router-discovery;
}
}
interfaces {
all;
}
}
}
alg {
dns disable;
ftp disable;
h323 disable;
mgcp disable;
msrpc disable;
sunrpc disable;
real disable;
rsh disable;
rtsp disable;
sccp disable;
sip disable;
sql disable;
talk disable;
tftp disable;
pptp disable;
}
forwarding-options {
family {
inet6 {
mode packet-based;
}
mpls {
mode packet-based;
}
}
}
flow {
allow-dns-reply;
tcp-session {
no-syn-check;
no-syn-check-in-tunnel;
no-sequence-check;
}
}
}
On Mar 31, 2010, at 4:23 PM, Iain Morris wrote:
> Juniper's SSG5 and SRX100 are nice options for home. I've enjoyed an =
SSG5
> for awhile now. SRX100 for junos. SSG5's pop up on ebay occasionally =
for a
> few $100.
>=20
> -Iain
>=20
> On Wed, Mar 31, 2010 at 4:18 PM, Marty Anstey =
<marty.anstey@sunwave.net>wrote:
>=20
>>=20
>>>=20
>>> Hopefully this e-mail is considered operational content :)
>>>=20
>>>=20
>>> The recent thread on the new linkys kit and ipv6 support got me
>>> thinking about CPE choice.
>>>=20
>>> What good off the shelf solutions are out there? Should one buy the
>>> high end d-link/linksys/netgear products? I've had bad experiences
>>> with those (netgear in particular).
>>>=20
>>> Should one get a "real" cisco router? The 877 or something? Maybe an
>>> ASA or the new small business targeted ISR (can't recall the model
>>> number off hand right now). There is mikrotik but I'm not so sure
>>> about the operating system.
>>>=20
>>> Is there a market for a new breed of CPE running OpenWRT or pfsense =
on
>>> hardware with enough CPU/RAM to not fall over?
>>>=20
>>> Granted that won't cost $79.00 at best buy. However it seems to me
>>> that decent CPE is going to run a couple hundred dollars in order to
>>> have sufficient ram/cpu.
>>>=20
>>> My current home router is a cisco 1841. I keep my 6mbps DSL line
>>> pretty much saturated all the time. Often times my wife will be
>>> watching Hulu in the living room, I'll be streaming music and =
running
>>> torrents (granted I have tuned my Azures client fairly well) all at
>>> the same time and it's a good experience. Running that kind of
>>> traffic load through my linksys would cause it to need a reboot once
>>> or more a day.
>>>=20
>>> What are folks here running in SOHO environments that doesn't =
require
>>> too frequent oil changes :)
>>>=20
>>>=20
>> I run FreeBSD on a PIII; I can easily saturate my 15mbit cable
>> connection without it breaking a sweat. I also have a couple Cisco
>> 2610's, one of which is my ipv6 tunnel endpoint.
>>=20
>> -M
>>=20
>>=20
>>=20
>>=20
>>=20
>=20
>=20
> --=20
> -- -
> Iain Morris
> iain.t.morris@gmail.com
