2011/07/20

Zeroshell: an Italian Router - Firewall - Bridge

Zeroshell is an Italian free Linux distribution that can be installed on a standard PC and that provides the main network services a LAN normally requires (routers, bridges, Firewall, VPN, HTTP proxy, captive portal, etc..)



It is available in Live CD or Compact Flash image and you can configure and administer it via a web browser.
Anyone with a little familiarity with such hardware can reuse an old obsolete PC and turn it into the router (all at no cost!).

Among the many features provided by this tool I found very interesting:
1) The Net Balancer that can operate in two modes a) "Load Balancing and Failover" where the requests for access to the Internet are balanced automatically and in proportion to the weight of each gateway and, in the event of failure of one gateway, this is excluded from the Automatic balance  b) "Failover" only one link is active at a time (the one with highest weight among those who are not in the state of Fault). The others are in the state of Spare, ready to attend in case of interruption of the active link.

2) the Virtual Private Network (LAN-to-LAN),  the ability to create links encrypted (permanent and automatic) over networks points that are geographically dispersed (using Internet).

Updates:
July 15, 2014Zeroshell 3.1.0 is available. This new release improves the stability of the system and corrects many bugs. Among the new features, there are some nice additions such as:
  • The Installation Manager that allows you to install Zeroshell in an easy way, starting from the ISO/USB image or from an already running installation.
  • The Weighted Bonding used to distribute traffic proportionally to the capacity of the interfaces that are part of the bond.
  • The Monitoring and e-Mail/SMS Alerts Suite that warns you or a team of people to the occurrence of an event. The list of events can be extended with custom event handlers.
  • The CNTop Utility which shows the top list of the hosts with the highest number of connections. This is very useful if a DDoS is taking place to discover the IP address causing the problem.
Among other things, the Captive portal has been improved with a special tuning and now can handle many more simultaneous users.
If you already have the release 3.0.0 installed and the repository access enabled you can automatically upgrade to Zeroshell 3.1.0 without losing the configuration just by clicking on the package 53100. Do not forget instead, that if you are planning to use the Installation Manager all data on the target disk will be destroyed so you have to backup the profile and then restore it on the new release.
May 10, 2014Monitoring and e-Mail/SMS Alerts Suite is a new component that enable Zeroshell to keep under control some critical Events that could occur. To each event is assigned a Severity Level based on which the Recipients of eMail and SMS alerts are selected. The Severity Levels are: Info, Warning, Critical and Emergency.
This package is available for Zeroshell 3.0.0 as New Feature and is very reccomended in a production environment where some critical events may have to be handled very quickly.
January 25, 2014A new procedure to easily install Zeroshell on disk is available as New Feature for the release 3.0.0. The Install Manager automatically resize the profile partition to use the entire disk space. Keep in mind that in a production environment, you should always prefer the installed version of Zeroshell because faster and more reliable than the Live CD version.
Please read the page http://www.zeroshell.org/installation-manager for more details.
January 13, 2014The Weighted Bonding has been implented for Zeroshell 3.0.0 as new feature. Using the Weighted Bonding you can distribute traffic proportionally to the capacity of the interfaces that are part of the bond. Before the introduction of this feature, the traffic distribution was made by a simple Round-Robin load balancing that treated the interfaces in a uniform manner regardless of the actual available bandwidth on each of them. The direct consequence of this was that you could benefit from bonding only if the lines merged had a similar capacity . You could see that adding an ADSL line from 2Mb/s to a 7Mb/s one resulted in a bandwidth closed to 4Mbit/s. Far from the expeted 9Mb/s bandwidth.
Now with the Weighted Bonding, by assigning to the first ADSL line a weight of 2 and to the second one a weight equal to 7, you could see a bandwidth aggregation very close to the sum of the two lines members of the bonding.
Note that in the example has been intentionally omitted, for simplicity, to specify that the bonding of WAN lines only makes sense through the VPN bonding and that the weight should be assigned to the Layer 2 VPN interfaces.
January 13, 2014The Weighted Bonding has been implented for Zeroshell 3.0.0 as new feature. Using the Weighted Bonding you can distribute traffic proportionally to the capacity of the interfaces that are part of the bond. Before the introduction of this feature, the traffic distribution was made by a simple Round-Robin load balancing that treated the interfaces in a uniform manner regardless of the actual available bandwidth on each of them. The direct consequence of this was that you could benefit from bonding only if the lines merged had a similar capacity . You could see that adding an ADSL line from 2Mb/s to a 7Mb/s one resulted in a bandwidth closed to 4Mbit/s. Far from the expeted 9Mb/s bandwidth.
Now with the Weighted Bonding, by assigning to the first ADSL line a weight of 2 and to the second one a weight equal to 7, you could see a bandwidth aggregation very close to the sum of the two lines members of the bonding.
Note that in the example has been intentionally omitted, for simplicity, to specify that the bonding of WAN lines only makes sense through the VPN bonding and that the weight should be assigned to the Layer 2 VPN interfaces.
January 2, 2014Zeroshell 3.0.0 includes relevant new features such as the automatic update system that automatically applies security and bug fixes, and allows to upgrade to the next releases. Several bugs have been fixed and the security improved. The MRTG graphs no longer require an activation key to be viewed. There are several kernels optimized for different processors and a kernel compiled with PAE (Physical Address Extension) which allows you to use more than 4GB of RAM.
August 7, 2013With the release 2.0.RC3 of Zeroshell some security issues have been corrected. Specifically, now the DNS works as cache and accepts recursive queries only for local networks if not configured otherwise. Recently, the DNS fully opened are being used to carry out DDoS attacks resulting in bandwidth consumption. For this reason, the migration to 2.0.RC3 is strongly recommended.
No-IP has been added as a provider for dynamic DNS and the recognition of 3G USB modems has been enhanced. You can now disable the virus scan of web pages resulting in improved performance of the transparent proxy on modest hardware.
Several fixes have been applied on the procedure for Backup and Restore of the profiles.
November 21, 2012Zeroshell 2.0.RC2 improves the support for the load balancing and fault tolerance of multiple connections to the Internet. Particularly, this release allows to keep in Standby PPPoE (xDSL) and UMTS/HSDPA connections, activating the PPP protocol only in the event of absence of connectivity from other accesses. These connections are again placed in standby mode when connectivity is recovered from the default accesses. Improved the Failover mechanism with check in Layer 2 as well as with ICMP. Updated the VPN Bonding for bandwidth aggregation and failover of the LAN-to-LAN connections. Fixed several bugs in the system. In particular, it has been solved a problem that caused the freezing of the Captive Portal under high load.
July 25, 2012Zeroshell 2.0.RC1 has a new kernel (3.4.6) that enables a better recognition of the latest hardware. The Wi-Fi section, using the ath9k kernel module, supports the 802.11n standard (thanks to Arth for the contribution for the upgrade of the wifi-manager). The atheling's patch was included to allow to use QoS and network balancing simultaneously. In addition to OpenVPN and IPSec/L2TP you can use PPTP as a VPN protocol for users whose authentication can be delegated also to an external RADIUS. Several bugs were fixed with particular attention to the Captive Portal.

PERSONAL EXPERIENCE: 
I currently use the network load balancing function of Zeroshell with two ADSL balanced connections of different ISPs and different speeds.
On two other Zeroshell I use  a VPN LAN-to-LAN to easily connect a company that has two offices located in different cities using their ADSL connection.


Here are some of the most important features: 

- Balancing and Failover of multiple connections to the Internet; 
- UMTS / HSDPA 3G modem; 
- RADIUS Server 
- Captive Portal 
- Management of QoS (Quality of Service) 
- HTTP Proxy with ClamAV open source antivirus 
- Support for the functionality of the Wireless Access Point Multi SSID using WiFi network cards based on Atheros chipsets. 
- VPN LAN-to-host protocol L2TP/IPsec 
- VPN LAN-to-LAN with Ethernet encapsulation of SSL / TLS tunnel, 
- Router with static and dynamic 
- 802.1d bridge with Spanning Tree 
- Firewall Packet Filter and Stateful Packet Inspection (SPI) 
- Control through Firewall and QoS classification of traffic type P2P file sharing; 
- NAT (Network Address Translation) 
- TCP / UDP port forwarding (PAT) to create Virtual Server 
- Multizone DNS server with automatic management of the Reverse Resolution in-addr.arpa
- Multi subnet DHCP server with the ability to assign IP address based on MAC address of the applicant; 
- 802.1Q Virtual LAN (tagged VLAN) applicable on Ethernet interfaces on LAN-to-LAN VPN, VPN and bonding on the bridge consisting of Ethernet interfaces, VPN, VPN and bonds; 
- PPPoE client to connect to the WAN via ADSL, DSL and cable 
- Dynamic DNS client used to easily reach even when the WAN IP is dynamic. 
- Client Server and NTP (Network Time Protocol); 
- Syslog server for receiving and cataloging the system logs produced by the remote hosts including Unix systems, routers, switches, Wi-Fi access points, network printers and others compatible with the syslog protocol; 
- Kerberos 5 authentication using an integrated KDC and cross-domain authentication; 
- Authorization LDAP, NIS and RADIUS; 
- X.509 Certificate Authority for issuing and managing electronic certificates; 
- Integration between Unix and Windows Active Directory on a single system of authentication and authorization using LDAP and Kerberos 5 cross realm authentication.
© ALL RIGHTS RESERVED

3 comments:

  1. regards,

    I just installed the 3.0.0 zeroshell, excellent router / firewall, very comprehensive and superior features, the best I've worked with. Good Holiday as 100%. willing to try the extended features of cache and filter web. will comment on this route

    ReplyDelete
    Replies
    1. Hi Daniel,
      unfortunately, due to time constraints, I have not yet updated all my router Zeroshell (currently 3) to the latest version 3.0.0. This is because I wanted to be sure of the stability of the last version and then because I read on the forum that there was a need to reformat the hard disk. Obviously people installing Zeroshell on clean machines have no problem, but I have to do the upgrade on routers used in production. However, I plan to do so shortly and surely I will update my impressions also on version 3.0.0!
      bye

      Delete
  2. I have installed the 3.1.0 zeroshell, wich is for me the best linux firewall distribution, It has very important features such as the captive portal or the Transparent Proxy with Web Antivirus. The only thing I miss is an interface compatible with mobile devices, but I think it will be available soon. ;-)

    ReplyDelete

Yandex.Metrica