I'm going to get an MOCHAbin – Globalscaletechnologies.com for which a OpenWrt Firmware Selector is available.
As this is only the default OpenWRT configuration I'm wondering which package should be included to exploit its full potential.
As the SNAPSHOT is available it should be pretty straightforward to create a custom build, based on this.
I'm wondering what to choose to be added as default.
I currently think of:
what do you think is usfull?
Start small and extend as necessary.
Wireguard is imho a no-brainer, same for OpenVPN (if you really need it).
For snort3, the hardware is probably not really fast enough, unless you only need rather tame WAN speeds.
Asterisk/ Freeswitch is heavily complex software, very easy to misconfigure and break open serious security issues, I'd advice against running this on your router (or at all, unless you're really familiar with it).
While running a fileserver on that hardware might sound tempting, I'd recommend against the security implications of doing so.
A router is a router, is a router, it's your bastion host against the open internet - don't overload it with orthogonal services just because you have cycles to spare. The prerogative should be to keep it simple and working, most of all secure and safe against accidental misconfiguration.
What service and where in the network?
I would have this on a “server” inside the actual network with its own login password (not the same as the router!) and with its own encrypted connection, firewall and logging.
If you're going to do IDS I'd highly recommend you to look for a server/network oriented distro that doesn't target embedded devices with very limited storage. I would also assume like slh that your hardware is going to be too slow for IDS snort3/suricata unless it's a rather slow connection. Unfortunately I'm not aware of any "mainstream" distros supporting the MOCHAbin but I haven't looked thoroughly.
It shall be the edge router, I have an MikroTik Routers and Wireless - Products: CCR1009-7G-1C-1S+ as core router, which does the routing between the VLANs and www.
MOCHAbin would be the gatekeeper to the www.
Services for sharing with the public (friends and family) would be put in the DMZ.
Hope the following pictures help a bit
I would only use containerized services, so the main risk comes from the docker implementation. If I put the services on a device in the DMZ or another router, there is pretty much the same risk due to misconfiguration.
could only find specs for RAM not for CPU. I would test and see. The package can be switched on on-demand but would be nice to have it config in the build, so you don't have to go through configuration again when it is reset.
I still have a powerful server whereto I could offload the burden.
I have am Debian and Ubuntu images for it
Forgot to say, thx a lot for the contributions so far
may I ask, any additional thoughts ?