As part of my network upgrades, I wanted a better router and firewall. In the past, I’ve played around with several router and firewall operating systems in several hardware configurations, but I haven’t done anything quite like this.
In this post, I’ll build a rackmount 1U overkill router (or server) from a 7 year old gaming laptop.
Goals and Requirements
Advanced configuration – The whole point is to learn. So I want to be able to try different things and have more flexibility in the way I manage my gateway. This would require modular hardware and more advanced software.
Monitoring – I’d like to see statistical data over time and try some real time anomaly detection. This would, of course, mean that the software has to either support it as a built-in feature or as an external plug-in. It would also require more processing power and memory.
Connector and link speed flexibility – This will probably be my router for a pretty long time, so I want to be able to upgrade to higher speed Ethernet or fiber down the line, or have a better NIC or different configuration of connectors. This requires modular hardware.
WAN to LAN speed – I recently upgraded my internet connection to 1Gbps fiber and I want to be able to utilize it all while still allowing full speed (maybe >1Gbps) between other ports. This would mean more processing power and memory and a fast interface for the NIC.
Multiple networks – I want to set up a separate network for experiments and I want it’s traffic to pass through the firewall and not only through the managed switch. For this I will need a NIC with at least 3 ports (WAN, LAN, EXP)
Rackmount – I’m consolidating all my gear to a rack, so I’d like it to fit neatly in 1 rack unit and not be a box on a shelf.
Hardware
There are many off-the-shelf boxes that will fit my current needs in terms of processing power and connections, but they are not modular in term of hardware upgrades and usually have a limited range of software options (although the options themselves can be great, but I want to be able to swap different ones). They are also pretty expensive at this level of performance.
I decided to take the DIY route, unsurprisingly.
Many DIY routers use a Single Board Computer. Much like with the off the shelf boxes, some have very impressive performance, but they lack the expandability I’m looking for. One major advantage to DIY SBC routers is the price – they can be much cheaper than other solutions.
As I mentioned, an SBC will not fit my needs, so I’ll not be using one.
I have an old intel i7 4700HQ gaming laptop with a broken chassis, but working internals. This would be more than enough power for what I need and would have a very low profile cooling solution that should fit very nicely in a 1U case.
There are many professional router operating systems for x86 processors, so no compromise there. I also like the idea of it being a regular computer so I can install any Linux or even Windows OS and turn it into a server or something else if I ever move to a different solution for the router.
Chassis
Empty Rackmount chassis options are very limited where I live. The stores here import pretty much only one brand and not even all of their models. So I bought the only 1U case model I could find locally. Shipping this from overseas would cost much much more.
I bought an iStarUSA D-118V2-ITX
It’s a little shallow for a rackmount chassis, but it should be enough for a router.
Board, CPU, RAM, GPU(?)
This laptop is pretty modular. The RAM is standard SO-DIMM and not soldered and there are two slots.
There’s an m-sata slot for a small SSD and a regular SATA connection for standard 2.5″ HDD or SSD.
The WiFi card is also not soldered to the board, but connects via mini PCI-E. This is great news as I don’t need WiFi and I hope it would (spoiler: it does) work for other (all?) standard PCI-E components.
Less interesting, but still cool, the CPU is also socketed, so I can upgrade or replace it if it dies.
Since it’s a gaming laptop, it also has a GPU, it’s a GTX750, nothing amazing, not even when it was new, but it could be interesting to try and find a use for it in a firewall.
Power Supply
The laptop has a separate power supply, like any laptop, so I don’t have to fabricate one or try to find one that fits the hardware. The motherboard already has all the power circuitry built-in, all I need to do is plug it in, no extra cables needed.
I also still have the laptop battery, so I could even have a built-in UPS for the system, but it would take a lot of space and I already have a UPS for everything in the rack, so It would be redundant.
I tried to fit the power supply in the chassis with everything, but it was a tight fit and would be problematic for cooling as the exhaust is blowing right on it and has nowhere to go. It would have to be outside, mounted in the rack.
Storage
I went with a Kingston 60GB 2.5″ SATA SSD. It may be overkill for now, but it might be beneficial for the monitoring later. As for the OS itself, a much smaller and slower storage solution would have sufficed, but that’s what I had laying around.
NIC
The laptop has a Gigabit Etherner port and a WiFi card, but I will not be using either of them.
The Ethernet port could be useful, but it’s located on a side of the board that will not point to the back of the chassis, so connecting and disconnecting cables would be very difficult.
Moreover, I need more than one interface for this router. As I mentioned earlier, I want at least 3.
I could go the ROAS (Router On A Stick) way, which means that the WAN and LAN interfaces share the same physical interface, thus requiring just 1 port. This is done via VLANs and requires a managed switch (which I have), but will limit the total bandwidth as all the virtual interfaces share the same 1Gbps link. Not what I want, although a cool technique.
after some research, I found that the most common recommendation for PC based routers is a server NIC based on intel i350 chipset, So I bought a 4 port one off eBay.
Server NIC on A laptop?
Yes. remember that WiFi card on that mini PCI-E? mini PCI-E is just regular PCI-E, but with a small form factor, so it’s possible to adapt it to full size with a riser and use it like a regular PCI-E interface. Many use this technique to connect desktop GPUs to laptops, it’s usually called eGPU.
If a GPU is possible, why not a NIC?
While theoretically possible, I was very skeptical that it would work, So I bought a few different risers to give it the best chance.
Speed
The card itself is PCI-E 4x, but mini PCI-E is only 1x. This is not a problem in terms of compatibility since PCI-E devices can work on fewer lanes, they will just be limited in bandwidth.
A single lane of PCI-E v1.1 can transfer 2.5Gbps in both directions. This means that I can get the full 1Gbps WAN to LAN speed and have enough spare for LAN to LAN (EXP) traffic, but I will not be able to get 10Gbps if I ever want, maybe 2.5Gbps with only WAN to LAN. I won’t be able to even utilize the 4 1Gbps ports on the card. Bummer, but I didn’t expect free, used and old consumer hardware to be the ultimate solution for everything.
Hooking It Up
Both the risers use a USB 3.0 cable for the data, which is interesting. I expected it to be some special cable, but I guess the USB 3.0 cable has enough pins and is certified for these speeds, so it makes sense to not reinvent the wheel.
Power is delivered via a SATA power connector. The 8x riser does not have a power connector on the mini PCI-E side, so it requires a separate power source, like the SATA drive connector (or straight from the PSU, if it has SATA). The 4x riser has a SATA power connector on the mini PCI-E side, probably because they expect 4x and less PCI-E cards to not be power hungry, so they can be powered from the PCI-E connector. It does not, however, come with a power cable, so I had to make one.
I tried both of the risers and they both seem to work similarly, but the 8x one was a little too big and required some creativity to provide it with power, so I stuck with the 4x one, as it was much more friendly to work with and I didn’t really need the full 8x slot.
Mounting it all in the chassis
The chassis is designed to house a mini-ITX board and a 1U flex PSU, so I’ll need to do some modifications to house my hardware.
Motherboard
I need to have mounting holes in the right places for the laptop motherboard. I thought about driving screws from the bottom of the case, but they wouldn’t be flush with the case panel, so they might interfere and not fit in the 1U space.
Another idea was to put a piece of plywood on the bottom of the case and have screws driven into it from the top. This might have worked, but might take up too much space in the case and I didn’t really like how it would look
I ended up designing and printing PETG standoffs. They would be glued to the bottom of the case and have screws driven into them from the top. They would also leave space under the motherboard for airflow.
Positioning the standoffs was a lot easier than measuring hole positions in plywood or in the chassis itself. I just screwed the standoffs on the motherboard, applied epoxy to the bottom of them and placed the motherboard in the case. The standoffs end up exactly where they need to be.
SSD
The SSD is connected directly to the motherboard and not with a cable. This means that the position of the motherboard has to leave room for the SSD.
I printed a bracket for the SSD so that it’s held straight and at the height of the connector.
In order to position the bracket correctly, I installed the SSD inside of it and connected it to the motherboard. I left them connected while the epoxy hardened.
NIC
The chassis has a single PCI-E bracket, so there’s only one place for the card to go.
The card doesn’t really need any special mounting or support as it’s held by a screw on one side and is light enough to not sag.
As mentioned, the card is powered by a cable I had to make using 18AWG silicon insulated wire and SATA power connectors.
Cooling
The motherboard already has a cooling solution for the CPU and GPU, but being optimized for a laptop, it takes in air from the top (which was the bottom of the laptop) and exhausts it from the side.
This is not ideal for a rackmount computer, because the hot air would just circulate in the case, being sucked back into the cooler, making it less effective.
In order to help cool the hardware and create front-to-back air flow like in most rackmount systems, I installed two 40mm intake fans in the front of the case and another two exhaust fans in the rear next to the cooler.
To power the fans, I had to splice the NIC’s SATA power cable and insert some quick connection blocks in the middle, as there are no fan pins or auxiliary power pins like in desktop motherboards.
I also blocked the I/O panel hole in the back of the chassis and added an aluminum wall to guide the hot air to the fans so that they pull air through the cooler and not just suck cold air from the front.
Front I/O
USB
The laptop has separate daughter boards for the power button, USB ports and audio jacks.
I don’t really need the audio jacks, but making the front USB ports and power button work would be cool.
The USB board is connected to the motherboard via a short flat cable.
The chassis front USB ports come with standard internal USB connectors for a standard motherboard.
In order to connect the two without making modifications to the daughter board, I soldered male USB connectors on the internal cables and plugged them into the ports in the board.
Power Switch and LED
The power button daughter board doesn’t have any connectors for easy extension, so I had to follow the traces on the board and figure out which pins go to the switch and the LED, so that I could solder regular Dupont connectors to it to make it compatible with the power button cable of the chassis.
Software
BIOS
When I first connected the NIC and turned the computer on, it powered up, the lights lit up on the card and on my switch and I saw the card in the OS (I installed the OS first, but more on that later). Very good signs, I was pleasantly surprised.
When I tried to configure the interfaces and bring them up, they would not do anything. The lights stayed static and the software didn’t show them changing status when I connect and disconnect the Ethernet cable.
I tried switching the riser and rebooting a few times, but no change.
It turns out that this series of laptops (lenovo Y410p) has a whitelist in the BIOS for supported WiFi cards that can be used with the computer. This was done to only allow WiFi cards that comply with the relevant standards that the laptop was certified with.
Luckily, there are some amazing genius people that take the stock BIOS and mod it to remove the whitelist and add some more features. Most of them do this in order to connect GPUs to the laptop, but I only care about the whitelist.
You can find the discussion and files in this forum post:
https://www.techinferno.com/index.php?/forums/topic/12014-lenovo-y410py510p-bios-mod-to-enable-nvidia-egpu-support/
The installation should be pretty straight forward for a complete laptop, but it turns out that upgrading the BIOS on a just the motherboard is not possible.
It’s not enough to have the power cable connected, although the computer can function fine without the battery and just the cable, upgrading the BIOS requires that the battery is connected.
Luckily, I kept the original battery and didn’t destroy it for it’s cells.
With the original battery, power cable and screen connected, I was able to upgrade the BIOS like normal.
After a quick test, I could see the ports respond to plugging and unplugging of the ethernet cables and I could configure the interfaces in the OS. Success.
I booted up Windows just as a test to see that all the hardware works and that everything is fine. After validating that, I could continue to install the OS that will actually run on the machine.
OS
While my network is more complex than a regular home network, It’s pretty simple in comparison to what most mainstream router/firewall software can handle. So the choice here isn’t critical, they will all do the job and give me enough flexibility for future expansion.
I chose to use pfSense. I’ve used it before and it’s free and open source. It also has a large community, so finding answers is easier.
I won’t include a configuration guide, as there are so many of those out there for all types of setups and configuring the router and switch is a project in and of itself.
I’ll just go over the high level setup.
Topology
One of the main goals of the new network is to separate the different devices and traffic types into VLANs and improve the overall security.
The inter-VLAN routing would be handled by the managed L3 switch, so traffic that is not going out to the internet should not pass through the router. This simplifies the configuration of the firewall a bit, but I still have to set up some rules for internet access (or denial of access) of each VLAN.
There is also another network, completely separated from the main LAN. This will be an experimental network for research. The idea is to have an isolated environment that will not affect my main network if I do stupid things on it.
I want the experimental network’s traffic to pass through the firewall, even if it doesn’t go out to the internet.
For this, I’ll connect the network directly to the router, on a separate port, and not just have a separate VLAN in the switch.
I might also have an isolated VLAN without any routing to other VLANs in the switch just to have more ports for the experimental network. so that I don’t have to buy another switch.
Extra Functionality
There are some network services that can benefit from running on the gateway and not in the LAN. Here are some of the services and programs I run on the router in addition to the routing and firewall functionalities:
- OpenVPN – VPN server to be able to access my network securely from the outside
- iperf – Network performance testing tool.
- vnStat – Network traffic monitor
- dpinger – Latency and internet loss monitor
- ntopng – Network usage monitor
- arpwatch – IP-MAC binding changes monitor
- nmap – Nerwork scanner for detecting hosts and services
- nut – UPS status monitor
Rack
I installed the router in the rack and connected it to the power, switch and the ISP’s fiber to ethernet converter. This is what it looks like in the rack.
Reliability, Future
I’ve been using the router with a pretty basic configuration for a few months and it seems to perform very well. I haven’t had any problems with it, neither with hardware nor the software and It gives me some very useful insight on my network.
Now I’m ready to start playing around with some advanced networking.
The next steps will be to configure the switch to segment the network and then have some better enforcement in the firewall.
