LWN.net Logo

Can FreedomBox be an alternative to commercial home routers?

By Nathan Willis
July 4, 2012

Recent actions by network hardware behemoth Cisco have irked a number of people who feel that the company is not respecting its customers' privacy. In response, members of the FreedomBox project have begun discussing whether the freedom-protecting device could adequately serve as a home router replacement. Such a move would mark a slight shift in focus for the project, but it may enable FreedomBox to offer the best alternative for those concerned over remote spying and other privacy threats.

Cisco raised the ire of online privacy advocates in June when it rolled out "Cisco Cloud Connect," a cloud-based configuration and management system for recent Linksys WiFi routers. The terms of service specifically state that Cisco may record users' Internet history (among several other types of information the service will track). In addition, the new cloud-based service was deployed to existing consumers' devices without their prior notice or consent. Device owners were first made aware of the change when they attempted to log in to their routers' web administration interfaces and could not — with a message instructing them to go register for the new cloud service instead.

Bloomberg reported on a response from Cisco's home networking chief, who said that the company was "absolutely not tracking Internet history, nor do we intend to" and chalked the issue up to "unclear" wording. Cisco has subsequently altered the wording in question, which now says that "usage" information is only associated with a randomly-generated ID number controlled by the device owner. The new wording also explains how consumers (including those whose devices have already been "upgraded" to the new cloud service) can opt-out of the service and revert to the old administration interface — by calling a Cisco telephone support number.

But that may not be enough to mollify privacy advocates. After all, court orders, warrants, or other means could force Cisco to reveal its stored information to other parties, at which point device owners have to trust that the randomly-generated ID is truly untraceable. Admittedly, the ISP has access to the same information, but replicating it elsewhere still makes one more vulnerable, not less. Add to that the fact that Cisco reserves the right to unilaterally modify its terms of service whenever it feels like it, and giving someone else control over one's router may not sound like a good trade-off just for the convenience of managing it through The Cloud.

Whither FreedomBox?

That chain of events led Sean Alexandre to write to the FreedomBox discussion list and ask whether or not serving as a home gateway router should be a target for the first stable FreedomBox release:

I remember from Eben's original talk on FreedomBox he described it as something people would use to replace their home wireless routers. They go to the store to buy a new wireless router, and buy a FreedomBox instead of a WeSpyOnYouBox.

FreedomBox, of course, is an effort to develop a "personal server" image that delivers secure, privacy-respecting software for common applications like email, social networking, and media delivery. Eben Moglen kickstarted the project in 2010, and the initial target hardware was so-called "plug computers." Thus, Alexandre's proposal does represent a shift in emphasis: although some routing tasks (such as firewalling) have been discussed, serving as a router-replacement or wireless access point has not been prominent on the development roadmap.

But replacing a WiFi router would be a useful, well-defined use case, he suggested, and allow the project to roll a usable release "sooner rather than later." Later releases of the software could add additional functionality. The practical problem, he said, was whether or not FreedomBox's Debian base could be made to run on home wireless router hardware with the features most consumers expect.

Alexandre's router-first concept would give FreedomBox an attainable goal, which would benefit the project. After all, despite its clout and technical prowess, the project is still a considerable ways from delivering the end goal of a plug-and-play email and cloud-computing experience with GnuPG-hardened encryption — not because the project isn't up to the challenge, but because of the sheer size of that challenge. FreedomBox developers are hard at work on a number of difficult problems, such as enabling two firewall-protected boxes to locate each other and establish a connection (the project's solution piggybacks on the Tor network). Rolling a routing-centric release would raise the project's profile while permitting development to continue.

The software angle

The FreedomBox distribution is intended to run on a range of hardware, and the project elected to build it on top of Debian in order to provide broad compatibility (among other goals). Clearly Debian itself is more than capable of serving as a NAT gateway, router, and firewall. But there are other considerations that might make building a router-centric FreedomBox release more difficult.

For starters, network configuration for a plug-and-play box needs to be straightforward, and ideally provide a working "first run" experience. Even the aftermarket router firmware projects (such as OpenWRT) struggle to make configuration simple, and FreedomBox strives to eventually enable the user to configure all sorts of additional services — some of which require tasks like key generation. The project has yet to select a configuration system; OpenWRT's Unified Configuration Interface (UCI) seems like a natural choice for the router use-case, but it may not extend easily to FreedomBox's other applications.

A separate issue, raised on the list by Jonathan Wilkes, is whether ISPs will allow users to bring their own routers. Some service providers rent wireless routers to customers, others supply their own devices (which do NAT and firewalling) that are combination units with DSL or cable modem functionality built in to a wireless router. In both cases, the area of concern is that the ISP requires that their device be the one doing NAT. A double-NAT configuration might be possible, but would not be simple to configure or troubleshoot. As Wilkes put it, such a departure from the plug-and-play server concept is more complicated from a user's point of view:

I think from the user perspective, plugging in a FB _behind_ what their ISP already has installed is way easier to set up and immediately start using, but less powerful (I'm thinking of the setup discussed recently where it's basically piggybacking over Tor make connections). Of course replacing one's router with a FB-- if there isn't a double-NAT-- opens up many more possibilities for what you can do with it.

Maybe the best of both worlds would be to make the UI for the easy solution (i.e., FB behind the router), at least initially. Even though it's less power for the non-techie user, it's less potential frustration. (A FB that the user can't get working certainly won't improve their privacy.)

In the ensuing discussion, the big unknown remained that no one has adequate data on which ISPs (or what percentage of all ISP users) face such restrictions. But then again, ISP restrictions are not a new problem for FreedomBox; the project has always been interested in running its own services, which inherently involves making incoming connections accessible from the outside — and which many ISPs frown upon.

The hardware angle

The other challenge to deploying FreedomBox on a home router is the availability of suitable hardware at an affordable price point. For the plug-and-play server design, there are a number of inexpensive plug computer options already known to the project. But few of them offer multiple network interfaces, which is a necessity for routers.

On the other hand, the aftermarket router firmware community typically must maintain multiple builds targeted at individual products, in order to cope with peculiarities of design (such as the vendor changing the internal flash memory without changing the model number) and with binary-blob drivers. Consequently, getting Debian to run on a commercially-available router is likely to prove difficult. Alexandre noted that Debian already runs on some Linksys routers, but with major caveats: "The wireless driver is a binary kernel module (first problem), and it needs a 2.4 kernel (second problem.)"

A third possibility he discusses is ALIX boards, which are low-power x86 devices available in several configurations, including some with multiple network interfaces. There is an active Debian port to the ALIX, although Alexandre admitted he was unsure if it was free of binary-only drivers.

The proposed router-centric milestone release is still an ongoing discussion topic at FreedomBox. As the Cisco incident reveals, there is clearly a need for a privacy-and-freedom-respecting router. OpenWRT and similar projects are decent options for those comfortable flashing the firmware and voiding their warranty, but those projects can never provide an out-of-the-box experience. Taking on that challenge may be too far afield for FreedomBox, though. It is at least feature-creep, which is generally taken to be a bad thing. But it may be a more attainable target, in which case it could do a lot to attract new talent to the FreedomBox project, which would be a win in the long run.


(Log in to post comments)

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 4:16 UTC (Thu) by paravoid (subscriber, #32869) [Link]

ALIX is a pretty standard x86 box and stock Debian runs perfectly -- no special port needed nor any binary drivers. Since quite a while there has been kernel support in mainline for the box's LEDs too, through the led subsystem. Everything works like a charm.

That being said, the box does not include WiFi, ADSL, GSM/GPS or anything like that. It just has miniPCI slots for people to buy their own cards. Some of them may require firmware, although there are certainly e.g. WiFi cards that don't.

Debian on ALIX

Posted Jul 5, 2012 8:04 UTC (Thu) by osma (subscriber, #6912) [Link]

I think the main feature that is missing (AFAIK) from stock Debian is running from a read-only file system by default in order to increase Compact Flash lifetime. This is offered by the debian-for-alix port. Also, most ALIX boards do not have a VGA console, so installation of stock Debian may be a bit of a challenge for the uninitiated.

Another option not mentioned in the article is Voyage Linux, a Debian-based embedded distribution which runs on ALIX, Soekris and similar platforms. I use it to run a few ALIX and WRAP boxes and it works quite well. As with the Debian ALIX port, you have easy access to all Debian packages, but the base system is pre-customized for the hardware, root filesystem is read-only and installation is relatively easy.

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 12, 2012 0:56 UTC (Thu) by BenHutchings (subscriber, #37955) [Link]

I don't believe there are any wifi cards that don't require firmware. Some of them load it from flash, but that doesn't make it any more free than firmware loaded from disk. (It may be easier to install, though.)

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 12, 2012 0:58 UTC (Thu) by BenHutchings (subscriber, #37955) [Link]

Having said that: there is free firmware for some wifi cards.

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 7:30 UTC (Thu) by Cato (subscriber, #7643) [Link]

To make this usable by ordinary mortals, I'd recommend Tomato USB distros as an example of what can be done. Tomato is not fully open source unfortunately (the GUI is closed I think) but it's a great example of what an open source GUI and router distro can look like.

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 18:33 UTC (Thu) by thedevil (subscriber, #32913) [Link]

I have used both Tomato and OpenWRT, and the current OpenWRT UI is actually _better_ , and that includes "prettier". The only reason it is "harder" than Tomato is that there is so much more functionality ...

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 9:56 UTC (Thu) by fb (subscriber, #53265) [Link]

Thanks for the article! I can always use more WiFi router hacking stories.

One thing that I wish you had done right at the start was to say "Debian based". I went from starting to read to skimming the article to answer "and what advantage/difference it has over OpenWrt or DD-WRT?".

[...]

Honestly, being an OpenWrt and Tomato user, after reading this article and Freedombox FAQ, I am left with the impression that this is a project kick-started by Eben Moglen out of not knowing about OpenWrt or DD-WRT. Don't get me wrong, it is great to have more people working for `embedded wireless freedom`, but flat out ignoring existing mature options sounds counter-productive.

The claim made at the end of the article:
OpenWRT and similar projects are decent options for those comfortable flashing the firmware and voiding their warranty, but those projects can never provide an out-of-the-box experience.

Sounds a bit like poetic license ;-)

From what I can read at freedomboxfoundation.org, this project is still pretty much at the kick-start phase. So in reality it is more like perhaps a viable option 2 years down the road. While there are plenty of officially supported DD-WRT routers (search Newegg or Amazon) on sale. Today. (With Amazon even selling DD-WRT pre-installed routers).

I mean, if you needed a 'free from oppression' *supported* firmware for a wifi router all you need to do is to get one of those Asus routers and add (the supported) DD-WRT firmware. I understand it is not Debian, but the project stated goals are about making a `free from oppression` box, and not a (i) `free from oppression box` (ii) running Debian.

Also in real life, I can imagine being easier to import an Asus or TP-Link router into $COUNTRY_WITH_OPPRESSIVE_GOVERNMENT and manually installing something called DD-WRT than getting a router named Freedom Box through customs.

BTW, if anyone is interested in getting more Debian into your OpenWRT box, check out http://www.debwrt.net/ (No, I never installed it myself, opkg suffices for me).

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 17:04 UTC (Thu) by n8willis (editor, #43041) [Link]

Sounds a bit like poetic license
Out-of-the-box means it is already installed when you open the box. Who is selling OpenWrt pre-installed?

Nate

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 17:46 UTC (Thu) by pj (subscriber, #4506) [Link]

Buffalo sells routers with DD-WRT preinstalled.

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 18:52 UTC (Thu) by n8willis (editor, #43041) [Link]

DD-WRT is not OpenWrt, however; they (DD) have proprietary pieces for which they do not provide source. There is a whole other can of worms about the manner in which DD provides source and whether or not it is sufficient to compile and build a working image (an argument which I have not desire to get into). But in any event, making modifications to the version of DD that ships with Buffalo still voids the device's warranty.

Nate

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 18:06 UTC (Thu) by DaleQ (subscriber, #4004) [Link]

I'm impressed with the OpenWRT based devices (that can act as a gateway or repeater node automagically) sold by Open-Mesh.com.

(Not affiliated, just happy customer).

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 20:41 UTC (Thu) by hummassa (subscriber, #307) [Link]

Nope, down here (Brasil) we have a lot of OEMs that slap together some Broadcom-based routers with openwrt or ddwrt preinstalled. I had one of those, and it had better range than many brand-name routers I had.

http://www.produtosdefabrica.com.br/Roteador_DD_WRT_Wirel...

(in pt_BR, and prices in R$ 1 = US$ .50)

Can FreedomBox be an alternative for router manufacturers?

Posted Jul 5, 2012 12:04 UTC (Thu) by davecb (subscriber, #1574) [Link]

If I were trying to source the software for a series of el-cheapo routers, I'd be far more interested in a free OS than one for which I have to pay money.

IMHO, the Freedom Box and -WRT projects should be emphasizing this.

--dave

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 12:59 UTC (Thu) by Thue (subscriber, #14277) [Link]

> Cisco has subsequently altered the wording in question, which now says that "usage" information is only associated with a randomly-generated ID number controlled by the device owner.

As documented by the AOL search data leak, just because some historical data is only organized by a random id, doesn't mean you can't derive from it who the user is.

For example, if I have unusual working hours, they can match that to my Internet activity. Or if they know which email provider I use, they can look for connections to that in the data.

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 16:04 UTC (Thu) by ortalo (subscriber, #4654) [Link]

IMHO the FreedomBox project needs more differenciation features (possibly from the technical point of view).

If it turns into a home-wifi-router, how will it be different from my good old dd-wrt Buffalo that I set up 2 years ago - also for additional security features unavailable on conventional boxes firmware? (Linksys/Openwrt users will pick up their preferred or more recent toy, but probably end up with a similar idea.)

Maybe such differenciation will be in securing a hardware supply for people who want it. Maybe it will be in a no-compromise approach to software security (ala OpenBSD). Maybe it will be another idea... But more and more, it seems to me that - from the technical point of view - they will dissolve in the rest of the opensource ecosystem if they do not pick up something unique.
(BTW, that's not a criticism, I like the idea that the values defended by the FreedomBox project are also present in other community projects.)

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 16:28 UTC (Thu) by jmorris42 (subscriber, #2203) [Link]

> IMHO the FreedomBox project needs more differenciation features...

No, if they want to achieve their stated goals they need less. In that they need to create their stuff in such a way that they can be widely deployed to the point they become expected. That probably won't happen if it is only available as a special purpose hardware device. So they need to be thinking more along the lines of a set of portable packages along with a reference system image.

Most ISPs will be happy to rent you a WiFi router/AP but will allow you to connect your own equipment. Being outside the NAT would eliminate half of the problems with the Freedom Box. Yes there are places where you can't replace the outside facing hardware. Yes there will be people wanting to run inside a NAT... and if we assume IPv6 isn't going to happen in the next decade there will be a lot of those in places where IPv4 address exhaustion is a problem. But the best way to evolve software is when it is in active use. Get it running NOW and adding features will happen faster. Stop building a perfect Cathedral and raise a flag out in the bazaar as soon as you have something that will inspire.

I'm running OpenWrt now. Dual band abgn with an untainted kernel. The hardware is available, you just have to shop careful. Instead of chasing what could be, deploy on what is available now. If asking users to reflash is an issue, sell preflashed units and raise a little extra scratch to fund development. I'd bet you could do that and still be less expensive than a plug.

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 20:49 UTC (Thu) by ortalo (subscriber, #4654) [Link]

We agree in fact: for a simpler implementation. No?

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 16:24 UTC (Thu) by awesomeman (guest, #85116) [Link]

I think the idea of making the FreedomBox a router is a really, REALLY great idea.

I personally drop my jaw at people I know that spend $150 on a router, it just seems insane, (I buy a $20 8-port gigabit switch, and pick up a wireless access point from goodwill) but they do it, and the FreedomBox can say, we do all that, and all this privacy stuff too. Store you picture!, etc, etc---getting ricer types excited about it would be nice. Its Debian, so we want all these home media center features anyways, it doesn't detract that it would basically be a differn't project--cause its just Debian, and it would get people using, and enabling their Freedom!

Very good idea making a router distro as the central one for the freedombox. There are too many problems with most routers people use too. (as is mentioned in the article). Its also a way to get people introduced to Linux in general.

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 16:29 UTC (Thu) by awesomeman (guest, #85116) [Link]

Also, the reason I've seen users rationalize over-spending on routers, is that they think it won't go out of date as soon.

While is this may or not be true, having the software stack based on Debian, means there is a clear and long-term upgrade path (both hardware and software-wise) for that router they are buying, which is much more than other suppliers can say.

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 22:30 UTC (Thu) by cesarb (subscriber, #6266) [Link]

> I personally drop my jaw at people I know that spend $150 on a router, it just seems insane, (I buy a $20 8-port gigabit switch, and pick up a wireless access point from goodwill)

Does that access point do 450 megabit 802.11n simultaneous dual-band (which needs two independent radios, each with 3 antennas)? Or is it a no-name 802.11g access point, which tops at 54 megabits (the difference is greater than the numbers show, since the newer 802.11n standard has less overhead), and which can only work in the very congested 2.4GHz band, and which probably is vulnerable to the recent WPS exploit?

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 23:03 UTC (Thu) by apoelstra (subscriber, #75205) [Link]

>Does that access point do 450 megabit 802.11n simultaneous dual-band (which needs two independent radios, each with 3 antennas)? Or is it a no-name 802.11g access point, which tops at 54 megabits (the difference is greater than the numbers show, since the newer 802.11n standard has less overhead), and which can only work in the very congested 2.4GHz band, and which probably is vulnerable to the recent WPS exploit?

I would expect there to be no difference for 99.9% of people, since most don't transfer massive files around, and those who do, probably do it infrequently enough that they can go through the hassle of plugging in a wire. (I'm a fairly tech-savvy guy, and I fall into the latter category, for example.)

Also, I'd be surprised to see more than a dozen AP's in a typical suburban location, so while 2.4GHz may be congested in general, by the pigeon-hole principle, you can probably find an empty channel.

In my experience, people who buy expensive consumer routers are the same ones who buy computers with 8Gb of RAM, and use it to browse the Internet. In both cases, there will be no performance gain from the better hardware, but there would be a big performance gain from using Free Software.

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 5, 2012 23:51 UTC (Thu) by hummassa (subscriber, #307) [Link]

> I would expect there to be no difference for 99.9% of people, since most don't transfer massive files around, and those who do, probably do it infrequently enough that they can go through the hassle of plugging in a wire. (I'm a fairly tech-savvy guy, and I fall into the latter category, for example.)
Many people want to stream 1080p videos to all TVs in the house without having to rewire the house.
> Also, I'd be surprised to see more than a dozen AP's in a typical suburban location, so while 2.4GHz may be congested in general, by the pigeon-hole principle, you can probably find an empty channel.
Suburban, yes; urban, three to four dozen APs at any time.
> In my experience, people who buy expensive consumer routers are the same ones who buy computers with 8Gb of RAM, and use it to browse the Internet. In both cases, there will be no performance gain from the better hardware, but there would be a big performance gain from using Free Software.
Yes. I agree.

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 6, 2012 3:07 UTC (Fri) by nybble41 (subscriber, #55106) [Link]

> Also, I'd be surprised to see more than a dozen AP's in a typical suburban location, so while 2.4GHz may be congested in general, by the pigeon-hole principle, you can probably find an empty channel.

There will be at least some overlap if you have more than three access points in range. There may be eleven "channels", but at best only three of them (1, 6, and 11) are completely disjoint. Worse, access points too weak to properly detect can still cause interference. You may only be able to _list_ a dozen APs with at least marginal reception, but there can still be others close enough to cause problems.

MIMO and beam-forming can help immensely in cutting down on the interference, but you won't find those features in bargain-basement 802.11g routers.

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 6, 2012 9:13 UTC (Fri) by mpr22 (subscriber, #60784) [Link]

Define a "typical suburban location" - do you mean half-acre-lawn detached-house American suburbs, postage-stamp-lawn terraced-house English suburbs, or French tower-block banlieues?

Can FreedomBox be an alternative to commercial home routers?

Posted Jul 13, 2012 17:06 UTC (Fri) by SteveAdept (guest, #5061) [Link]

In my last apartment, I could see 40 (!) wireless routers from my front room. This is not at all uncommon.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds