Scythifuge wrote on 2024-02-08, 03:51:
[...]
I just found out about custom firmware on routers (in part due to researching the DIR-655 I thought I bricked - but is now mysteriously working and accessible from my XP and main PCs,) and I think that the concept is pretty neat. I read that we can thank Linksys for that. I saw info about the Tomato firmware, and Merlin for Asus routers (of course, the one I just bought can't use it, so I will just add it as another gateway.) I am going to keep researching this stuff and collect more routers and switches, especially if they have VLAN options. I am going to buy that TP Link switch because it has 8 ports and VLAN support for $26.
A tip regarding routers: your requirements for VLAN support put you firmly in the 'SOHO' if not actually 'enterprise' market segment. In that segment, routers tend to be - well - routers and not contain a kitchen sink of other functionalities like WiFi AP or file server via USB. Trying to shoehorn all your networking requirements into a single device just makes your life more difficult and limits choice. Custom firmwars can be extremely powerful, but frequently also lack access to certain proprietary functionality of chipsets, leading to limitations in terms of performance and features - another thing that needs checking when selecting hardware.
Instead I'd recommend to keep it simple: choose your router based on its ability to route (if you want to actually achieve Gigabit speeds while working with firewall rules, this is NOT a trivial requirement!) and use other devices for other functionality. Need a file server? Run a separate file server. Depending on requirements in terms of performance and power draw, a simple Raspberry Pi might suffice, but again, if you want to reach that Gbps, you'll need to invest a little more. Don't expect those speeds from a USB stick in a consumer router, regardless of firmware. Having a Gigabit port does automatically not mean you will reach Gigabit speeds over it.
I already mentioned my hEX router (which would - just - be able to handle 1Gbps WAN to LAN with 25 firewall filter rules). I have an old Core i3 2100 with PicoPSU running under Linux as server. It has very low idle power draw, but is more than powerful enough for anything I throw at it. I'm currently migrating my WiFi from Ubiquiti UniFI to HPE Aruba InstantOn (mainly to get experience with the platform, my UniFi UAP AC Pros are good enough in terms of performance and stability, even if the controller is a weak point whenever it's time to upgrade).
Note that it's possible to use old metal as server or router too, but power consumption will be much higher due to less efficient power management leading to higher idle power - this Core i3 draws less than a quarter of the power of the P3-800 I had a while back. Also, it's more difficult to find up-to-date secured software for old stuff, and unlike with client PCs, that is a risk with stuff that's always on, particularly if you want to expose it to internet.
As of right now, I am getting ready to install a big XP update called Integral, with SP3 and the updates up until 2019.
Wouldn't recommend that. Even with patches up to 2019, XP is fundamentally insecure against things specifically designed to target XP systems after that. And if it's going to be insecure anyway, there's not a huge reason to install SP2 and SP3, both of which massively increase system footprint and reduce performance. XP without SP runs happily with a 512MB RAM, with SP3 it feels slower with 2GB...
also finally got my main PC and the XP PC to see each other's share folders, with the main PC requiring a username and password, and when I try to access the XP PC, due to using a 2nd router to segment my retro PCs, I have to input my 2nd router credentials, which I think is cool.
You mean you need to log into a separate WiFi network?
If so, this only adds security vs eavesdroppers in the wireless domain. As I mentioned earlier, WiFi security only secures the 'wire' between client and AP, it does nothing to secure the content once it's off the air and onto a wire. You've just given yourself an extra administrative hurdle here with no security benefit.
I'm also suspicious of Windows File & Printer Sharing (SMB/CIFS) with out-of-support systems. I prefer using SCP (tip: WinSCP) - or indeed plain old FTP if only on a secure LAN.
I think that technically, my XP machine is behind three firewalls: the Spectrum router, the dlink router, and the built in XP firewall. I am glad to be getting some use out of this old DIR-655, hehe...
Putting on three condoms over each other also doesn't increase protection... You can definitely use firewalls behind firewalls to good effect, but you need to have a very clear design about which one is doing what. Just taking three firewalls you haven't specifically configured doesn't do very much.
Consider that the biggest threat - certainly with an XP machine on the network - is that the machine gets pwned by some software you downloaded after which it becomes part of a botnet, transmitting bad stuff elsewhere. The most important task of your firewalls isn't stopping stuff from outside in, but from inside out - which, once again, isn't part of the default functionality of these things. If they fail at that, you risk getting flagged for abuse and having your internet connection suspended. So for starters I'd recommend focusing on a single firewall and making sure that there's a default 'deny all' rule on outbound traffic from your vintage machines, particularly your not so ancient ones. Then make specific exceptions for traffic you want to allow.
We are also ditching Spectrum. In a couple of weeks, we are getting fiber with gigabit up and down. I am excited for that. We are switching to the same company for our landline, so I can still use my dialup modems and call BBSs or play Wing Commander Armada and what not (and maybe build my own BBS,) and that is very cool. Another goal would be to create websites which retro computers can access, with links to other retro-compatible sites.
Internet-accessible servers are a whole different kettle of fish. By definition you are exposing these machines to potential attack. I would recommend to only host stuff on modern, fully patched machines. If you really want to host on old stuff, take REALLY old machines and OSs and definitely not anything running a Windows NT derivative like XP. Also make sure to have good firewalling rules in place, so only allow access inbound on the specific ports of the services and - even more importantly - only allow outbound traffic from the server on those specific ports. Make sure the server has a completely separate management IP so you can apply different rules (i.e.: can only be managed from the LAN, not from the internet).
Oh, and again on the Gb - Windows XP does not support TCP Receive Window scaling by default; unmodified it will even struggle with 100Mbps throughput, so for higher speeds you'd need to hack the registry (or download 3rd party tools and hope they are trustworthy) to go above that, enabling RFC1323 and increasing TCP Receive window. I honestly don't know how high you can expect to go - this stuff is actually part of my day job, but by the time we were approaching Gbps we weren't considering anything prior to Windows 7. I know that XP can get to 200Mbps but it can probably handle more, although I'd be surprised if you could hit 944Mbps (the max net TCP you can get over 1GbE). Also consider that measuring speed utilizes CPU and even if your network settings could handle speeds, a speedtest site might bring the CPU of your XP box to its knees. Same applies to secured protocols (SCP/SFTP), unless you have a lot of spare CPU and/or hardware offload, the calculations for AES will be the limiting factor. For low-overhead testing, use iPerf3 - but be aware that actual applications may be CPU limited below whatever you measure.
Hmm... this is going a bit offtopic here. What network performance to expect from vintage systems and how to optimize them is worth a topic of it's own.
