Zeroshell is a small Linux distribution for servers and embedded
devices aimed at providing the main network services a LAN requires. It
is available in the form of Live CD or Compact Flash image and you can
configure and administer it using your web browser. The main features
are listed below:

  • RADIUS server for providing secure authentication and automatic
    management of the encryption keys to the Wireless 802.11b, 802.11g and
    802.11a networks supporting the 802.1x protocol in the EAP-TLS,
    EAP-TTLS and PEAP form or the less secure authentication of the client
    MAC Address; WPA with TKIP and WPA2 with CCMP (802.11i complaint) are
    supported too; the RADIUS server may also, depending on the username,
    group or MAC Address of the supplicant, allow the access on a preset
    802.1Q VLAN;
  • Captive Portal to support the web login on wireless and wired
    networks. Zeroshell acts as gateway for the networks on which the
    Captive Portal is active and on which the IP addresses (usually
    belonging to private subnets) are dynamically assigned by the DHCP. A
    client that accesses this private network must authenticate itself
    through a web browser using Kerberos 5 username and password before the
    Zeroshell’s firewall allows it to access the public LAN. The Captive
    Portal gateways are often used to provide authenticated Internet access
    in the HotSpots in alternative to the 802.1X authentication protocol
    too complicated to configure for the users. Zeroshell implements the
    functionality of Captive Portal in native way, without using other
    specific software as NoCat or Chillispot;
  • QoS (Quality of Service) management and traffic shaping to
    control traffic over a congested network. You will be able to guarantee
    the minimum bandwidth, limit the max bandwidth and assign a priority to
    a traffic class (useful in latency-sensitive network applications like
    VoIP). The previous tuning can be applied on Ethernet Interfaces, VPNs,
    bridges and VPN bondings. It is possible to classify the traffic by
    using the Layer 7 filters that allow the Deep Packet Inspection (DPI)
    which can be useful to shape VoIP and P2P applications;
  • HTTP Proxy server which is able to block the web pages
    containing virus. This feature is implemented using the ClamAV
    antivirus and HAVP proxy server. The proxy server works in transparent proxy
    mode, in which, you don’t need to configure the web browsers of the
    users to use it, but the http requests will be automatically redirected
    to the proxy;
  • Wireless Access Point mode with Multiple SSID and VLAN
    support by using WiFi network cards based on the Atheros chipsets. In
    other words, a Zeroshell box with one of such WiFi cards could become a
    IEEE 802.11a/b/g Access Point providing reliable authentication and
    dynamic keys exchange by 802.1X and WPA protocols. Of course, the
    authentication takes place using EAP-TLS and PEAP over the integrated
    RADIUS server;
  • Host-to-lan VPN with L2TP/IPsec in which L2TP (Layer 2
    Tunneling Protocol) authenticated with Kerberos v5 username and
    password is encapsulated within IPsec authenticated with IKE that uses
    X.509 certificates;
  • Lan-to-lan VPN with encapsulation of Ethernet datagrams in
    SSL/TLS tunnel, with support for 802.1Q VLAN and configurable in
    bonding for load balancing (band increase) or fault tolerance
    (reliability increase);
  • Router with static and dynamic routes (RIPv2 with MD5 or
    plain text authentication and Split Horizon and Poisoned Reverse
    algorithms);
  • 802.1d bridge with Spanning Tree protocol to avoid loops even in the presence of redundant paths;
  • 802.1Q Virtual LAN (tagged VLAN);
  • Firewall Packet Filter and Stateful Packet Inspection (SPI)
    with filters applicable in both routing and bridging on all type of
    interfaces including VPN and VLAN;
  • It is possible to reject or shape P2P File Sharing traffic by using IPP2P iptables module in the Firewall and QoS Classifier;
  • NAT to use private class LAN addresses hidden on the WAN with public addresses;
  • TCP/UDP port forwarding (PAT) to create Virtual Servers. This
    means that real server cluster will be seen with only one IP address
    (the IP of the virtual server) and each request will be distributed
    with Round Robin algorithm to the real servers;
  • Multizone DNS server with automatic management of the Reverse Resolution in-addr.arpa;
  • Multi subnet DHCP server with the possibility to fix IP depending on client’s MAC address;
  • PPPoE client for connection to the WAN via ADSL, DSL and cable lines (requires a suitable MODEM);
  • Dynamic DNS client used to easily reach the host on WAN even when the IP is dynamic;
  • NTP (Network Time Protocol) client and server for keeping host clocks synchronized;
  • Syslog server for receiving and cataloging the system logs
    produced by the remote hosts including Unix systems, routers, switches,
    WI-FI access points, network printers and others compatible with the
    syslog protocol;
  • Kerberos 5 authentication using an integrated KDC and cross-authentication between realms;
  • LDAP, NIS and RADIUS authorization;
  • X509 certification authority for issuing and managing electronic certificates;
  • Unix and Windows Active Directory interoperability using LDAP and Kerberos 5 cross realm authentication.

Link