It has been a little while since I’ve written anything on this blog, which is a shame as it’s something I like to do. There is something therapeutic about writing up the details of a project you have just completed, especially when it created a lot of problems and you managed to (finally) overcome them.
The school I work at had a requirement for the File/Print/Intranet all-in-one server to be upgraded. Previous problems with the electricity supply to the school (including lightning strikes) had caused intermittent problems to appear on certain parts of the motherboard, including the SATA connectors, which is a big issue for any computer.
So, whilst being handed approximately 100GBP to build a ‘new’ machine using the old hard drives (which were pretty new) I went out and had a thought about the old hardware. We had an old case, motherboard, a spare 40GB IDE HDD and a bit of chewing gum. I could make a hardware firewall out of this, using the rock-steady build of Smoothwall Express 3.0
All I would need to do is buy another NIC (the onboard NIC being another motherboard component that was fried) and reinstate an old modem that appeared to be compatible with Smoothwall.
Smoothwall can run on a very slow system, with some people reporting it works using a 133MHz machine and virtually no RAM. However, the school network will have over 50 users connected to the internet at any one time, which will definitely put a demand on the machine handling this traffic. In my opinion it’s always best to over-spec a machine! Here’s the list of components used for this project:
- An old ATX PC case (the old file server case) with working PSU
- An MSI MS-7211 Motherboard
- Intel Celeron D328 2.5GHz CPU
- 2 x 512MB sticks of RAM
- An old Western Digital 40GB IDE HDD
- TP-Link Gigabit Ethernet Network Interface Card (NIC) – I’ll use this on the LAN side
- TP-Link 10/100 Ethernet NIC (to be used on the WAN side as our internet is lucky to hit 10Mbit downstream – 100Mbit leaves a lot left in the tank for future upgrades in our internet connection)
- A modem with either USB or Ethernet connection (I used the Ethernet option)
- A borrowed DVD-ROM drive for installation of the Smoothwall OS
- A borrowed monitor for installation
- A borrowed keyboard for installation
- 2 x Ethernet cables for connecting the NICs to the rest of the network
- ISP login details for connecting to the internet
- A copy of Smoothall Express 3.0 on a CD-ROM
Armed with the components I started the installation – this was an absolute doddle. Each person’s set up will vary depending on what they want to use it for, so I went through a fairly standard set up. Plug in all your parts and get the DVD drive working so that you can run the installation of the CD, following the on-screen instructions.
When setting up the NICs on mine, because the onboard LAN was fried by a previous lightning strike, I used the 10/100 NIC (PCI card) as my ‘Red’ interface, which means the interface connecting to the modem and the internet (WAN). I then used the 10/100/1000 NIC (PCI card) as my ‘Green’ interface, which means the interface connected to the local network (LAN).
I then configured the subnet for my network. Connection to the WAN (Red) was done via PPoE, with the details from the school’s ISP noted down on paper to be used later on.
One of the main points I remember being asked is if I wanted Smoothwall to be totally open or totally closed (pinholes). This is asking if I want to open up my whole network to the internet (fully open) or closed off (fully closed except for standard ports for website access). Most people will choose the ‘closed’ off option and gradually open up the ports they find they need to allow access to for different services (sometimes called ‘pinholing’). The whole point of the project for the school was to improve the security of the network on the internet and to restrict access to school-unfriendly sites and services, hence why I chose the closed-off option.
First time fire up
Firing the machine up for the first time, I kept the keyboard and monitor plugged in just in case, but found that I didn’t need to. Using my laptop connected to the ‘Green’ LAN network by cable (via a switch) I was able to connect to the machine using the address of https://192.168.0.1:441 and using the username and password I set during the installation phase. The web interface then appeared on my laptop screen, where I can change and enter all of the settings for the Smoothwall box.
This was looking good. The first thing I wanted to make sure of was getting internet access. So, I went to the ‘Networking’ menu and chose ‘Interfaces’. The configuration I set at installation was showing in the ‘Green’ section and the ‘Red’ section was set to PPoE, meaning we need to enter the ISP details.
The next thing to do was to go to the ‘PPP’ page where you enter your ISP login details. Entering these details as I had noted them down I was amazed when it worked first time, connecting to the internet is done through the homepage for Smoothwall, if it takes any amount of time to connect then chances are it hasn’t worked and you need to check your configuration of PPP and the ‘Interfaces’ pages.
I did my standard test of accessing www.bbc.co.uk to prove I was connected to the internet through the Smoothwall box.
One of the first items I wanted to configure once the internet was up and running was the web proxy. A web proxy allows for ‘filtering’ of the internet as all http requests will pass through it as well as caching, which means that commonly accessed sites and downloaded files will be stored on the Smoothwall, reducing the amount of bandwidth required on the internet. This is especially great for me with Microsoft updates for the ICT suite machines, as they get downloaded once and then accessed by all other machines from the Smoothwall – making the process much faster! Configuring the websites that are to be blocked requires use of WinSCP and a little bit of knowledge of Access Control Lists (ACLs). I found a very helpful guide for this which refers to an earlier version of Smoothwall but is still mostly correct for the latest version, just remember that the proxy/cache ACL stuff can be found in /var/smoothwall/proxy/ and not where else it refers to, and to change the web pages for blocked sites then you can find the files with the required html in /usr/share/errors/English (or whatever language you’re using!). This took me an age to find as very little documentation was available for it – I then edited the files and added some of my own to explain the time rules for certain websites which can only be accessed outside of school hours (mostly social networking). Unfortunately, most people can circumvent the web proxy by using https versions of websites, as these cannot be filtered with ACLs in the same way – if anyone has a way of blocking these sites using a different method (iptables comes to mind) please let me know by commenting at the bottom of this post!
I set the size of the cache to 1000MB (nearly 1GB) but it could be set higher as I have a bit of storage space, but with my system I found the system was eating up all of the RAM on the machine, so I decided to trim it back until I got to this figure through trial and error.
Dynamically Assigning IP Addresses (DHCP)
Under the ‘Services’ menu you will find a section titled DHCP. You will probably have configured this on the installation phase of Smoothwall, but you can make changes again to it here, and you can even extend it using the DHCP Lease CGI extension, available here.
I set up a pool of 100 IP addresses. I recommend choosing a number range in the higher end of the 254 available addresses. The reason we want to leave a big gap from the beginning to here is because hardware devices like WiFi Access Points, Network printers and anything else connected to the network will have an IP address which usually belong to the low end of the IP range (I keep a record of these devices and their network addresses to help troubleshoot network problems with them or other devices).
The DHCP Lease plugin allows me to see the names of the machines connected as well as their IP addresses – this comes in useful when seeing what firewall or web proxy hits are occurring and with who. By tracking the IP address I can see who is trying to do what.
Earlier we made the firewall ‘fully closed with exceptions’. These exceptions are called ‘pinholes’ as they are essentially making small holes in the firewall so that data can pass through them. To modify what is allowed access through the firewall (i.e. from the ‘Green’ LAN side to the ‘Red’ WAN side) we need to go to the ‘Networking’ section of the Smoothwall web interface and select ‘Outgoing’. You can choose from pre-configured exceptions from the drop down list, or if you know the port type and number for a piece of software or application not in the list, you can add your own manually using the fields on this page.
Once you have finished adding pinholes for your firewall on this page, make sure you click on the ‘Save’ button at the top to have them applied. I have added exceptions for the use of Skype, some online gaming for the school’s computer club and the school’s webmail amongst other things.
Well, that’s about it for my short ‘guide’ on installing your own hardware firewall/proxy/cache using Smoothwall Express 3.0. It’s a great piece of kit, and I’ve only just scratched the surface of the benefits it can add. As you will have noticed with this website, I am very much a ‘learn by doing’ kind of person, which can land me in trouble from time to time, but by documenting my past mistakes hopefully I won’t make so many in the future, and maybe I can help someone else stop making those mistakes too.
I was drafting up a review of the previous modem/router we were using to run our network, which was a Cisco WAG320N. Although a good piece of kit, I could never get it to stay online for more than 24 hours without disconnecting, despite choosing ‘nailed up connection’ in the settings and double checking with a 3BB engineer (our ISP) that the settings I was using were correct. In the end, he said that if I changed the router it would work better. Well, using the Smoothwall box instead, I have found that we have a steady internet connection for several days, and when it disconnects the machine automatically reconnects without being asked (you can change the setting for that on the Network -> PPP page of the web interface).
I hope this guide was useful for you, one of the things I now need to test and configure is the dynamic DNS I have set up for the school network, which allows me to access resources over the internet, great for some remote administration of things from home or when travelling.