Soekris Firewall

Target Audience
Computing enthusiasts only! If you are simply looking for a bundled up, ready to go solution, then you should be checking out m0n0wall. But if you don't want to be saddled with someone else's design choices, or you'd prefer to be using a recent version of FreeBSD, or you want to use PF as your firewall, or you just like rolling up your sleeves and getting your hands dirty, then this is the way to go!

Background
I had an ISP colocated in my home for a decade. Since I had free bandwidth, power, and CPU, I always had a beefy server as my firewall. It is very nice to install dhcpd, configure it and hand out addresses exactly as I want. I'm spoiled by the ability to install and configure my web server to serve exactly what I want. I want to install network monitoring apps, my own DNS server, VPN, etc.

Then I sold the ISP, the T3, and the house. My new home is served via cable modem, power is no longer free, but CPU is amazingly cheap. For a couple years I've had a dual 3.0 Xeon as my firewall, but keeping it powered up wasted a lot of electricity, which generated a lot of heat, which my A/C had to remove. And did I mention the noise? Even hidden in the guest room closet wasn't enough to silence it.

I used an Apple Airport Extreme base station as the NAT router/WAP for a while. It works great as an access point but offers nothing in the way of QoS. So I tried a Netgear gaming router with QoS. I really only need a few things from my router: decent firewall capabilities, QoS to prioritize my SSH logins and VoIP ahead of everything else, and sweet blessed silence. The Netgear router had all sorts of issues with my two VoIP phones (Packet8 and VoicePulse). I never did get both working reliably.

The next attempt was a Linksys WRT54GL with Linksys and OpenWRT firmware. I did get the Linksys to work with both phones, and even had some rudimentary QoS. However, voice quality always suffered quite noticeably when we were up or downloading anything. There simply isn't enough ability to manage the bandwidth. And, every week or two, the VoIP phones refuse to work again until the Linksys is rebooted. Yuck.

I read all about m0n0wall and several other nifty projects that cram most of a full OS into a 16/32/64MB CF card. But I had a better idea.

Firewall
The Soekris has three 10/100 ethernet ports, perfect for WAN, LAN, and DMZ. I configured eth0 as the WAN port. It expects a DHCP address from a broadband modem. eth1 is my intranet port with a static IP of 10.0.1.1 and hands out DHCP addresses from a pool. The DMZ is on eth2 and also hands out DHCP address, served from the static IP of 192.168.3.1. I putting my wireless access point(s) on the DMZ.

I chose PF as my firewall, I find it considerably easier to administer and get tricky setups right than with IPFW. Also, ATLQ is a much better tool for prioritizing my LAN traffic than dummynet. The VoIP phones must work, and my wifes Exchange client running on her VPN connection back to HQ should not be able to ruin our phone calls or stall my SSH sessions. ATLQ is good.

LAN Services
Provide these services to our internal network.

recursive DNS (dnscache)

DHCP (isc dhcpd)

NTP (ntpd)

http (to serve graphs generated by stats program (lighttpd + SpeedyCGI))

mail (to send out nightly reports, intrustion notifications, etc. (qmail))

ez-ipupdate (dynamic DNS client)

Monitoring
SNMP (to collect stats from itself and other LAN devices (ucd-snmp))

pfstat

RRDutil (host stats such as CPU, temp, disk i/o & usage, network i/o, etc)

smartmontools

env4801

Results
It would be hard to be more pleased. The system is perfectly quiet and excepting the QoS rules (which I'm still futzing with), everything works exactly as it should.

I love being able to SSH in and watch the firewall hits in real time, and see exactly why my iChat AV connection timed out (oops, need a rule for that!).

I did notice that my RRDutil monitoring was causing some hefty CPU spikes every 5 minutes and heavy disk i/o which was easily attributable to loading up the perl interpreter. So, I installed SpeedyCGI which, at the cost of a bit of memory, significantly reduces the CPU and disk impact of my monitoring scripts. You can see difference in CPU load as shown in this graph:



The spike into green was me compiling speedy, and you can see the load drop from really low to almost nil. Even with a nice complement of daemons running, I still have 48M of real memory available. I expect I'll need to grow my /var mfs by another 16MB and that leaves a comfortable margin for running all the system maintenance scripts. Of course, shutting down the web server would free up a lot of RAM as well.

I plan to install Big Brother on it soon and have it monitor a few critical things on a couple of my servers.

Q. Is it OK to shut down at will?
A. When shipped from TNPI, the file systems are mounted read only by default. In this configuration, you can power it off and on at will with no ill effects. Keep in mind that the counters maintained by pfstats and rrdutil are stored on a MFS (memory file system). They are only copied to disk when the system is shut down properly using reboot or shutdown.

If you remount the disks r/w, then you definitely should shut down gracefully or risk needing console access to employ our good friend fsck. If you do not have a console cable readily available, consider adding fsck_y_enable="YES" to /etc/rc.conf.

Q. Does ____ PCI card work?
A.

Q. What are the console settings?
A.  By default, the Soekris ships with a non-standard 19200-N-8-1 whereas FreeBSD expects the much more common 9600-8-N-1. You can fix this in one of two ways. On FreeBSD, you can edit /boot/loader.conf and set:

comconsole_speed=19200

If you do decide to use the (faster) default 19200 setting, you might also consider:

echo "BOOT_COMCONSOLE_SPEED=19200" >> /etc/make.conf

Or the easy (but slower) method of settings the Soekris BIOS"

set ConSpeed=9600

Q. How do I view stats for my firewall?
A.  By default, you can access http://10.0.1.1:81/ to view your current stats.

Q. Why does my stats page title show gw.simerson.net instead of gw.mydomain.com?
A.  There's a file located in /usr/local/www/data/index.html. Here is how to fix it. Login to your firewall.

vi /usr/local/www/data/index.html /simerson          (This searches for simerson) 3cw domain.com  :wq

This will change the domain in the title from simerson.net to what ever your domain name is (domain.com).

Q. How do I give my printer a static IP address?
A.  Login to your firewall as root.

vi /usr/local/etc/dhcpd.conf /wired nework static IPs (This searches for the first hard coded IP entry) Add an entry for your printer

host printer { hardware ethernet 08:00:86:1a:91:e4; fixed-address 10.0.1.200; default-lease-time 604800; }

/usr/local/etc/rc.d/isc-dhcpd stop /usr/local/etc/rc.d/isc-dhcpd start

Modify your printer to get it's IP info via DHCP. Reboot the printer.

How To ...
Format a hard drive

Configure PF and ALTQ for VoIP

Build a custom kernel

Similar Projects
m0n0wall firewall : m0n0wall is a fantastic project, perfect for a soekris appliance. Instead of a hard drive, m0n0wall can be installed onto a flash disk. All configuration settings are saved on the flash disk. There is a fantastic world-wide support for this project.

pfSense : pfSense is another great project that is perfect for a soekris appliance. It is derived from the m0n0wall project. However, this project uses OpenBSD PF firewall with ALTQ support as well as FreeBSD 6.1 with an integrated package management system to extend its features.