Soekris 4501 : m0n0wall Firewall – OpenSource power for small business / home security

20150215_11372720150215_110852

  •  Hardware

I recently bought two Soekris 4501 routers for two different projects: the first to build an NTP server (ehy.. what a news!) and the other one  could be useful  as a good small business/home firewall . I’ll begin by this last one. The Soekris 4501 is the first (and oldest) Series of high-performance router from Soekris Company sited in Scotts Valley, California. (http://soekris.com). this magnificent router is equipped with an AMD ElanSC520 to 133 Mhz (which has the special ability to have an internal clock timer as we shall see much more deeply in the next NTP project) 64 MB PC100 SDRAM, three ethernet ports of National Semiconductor supporting 10BaseT and 100BaseT. RJ45 Connectors at board edge with built in LED‘s for link status.For OS , it mounts compact external flash (in this specific case, I used a 64 mb) and supports various operating systems including FreeBSD, OpenBSD, Linux and many others. This version that i found has also an integrated wireless card MikroTik RouterBOARD R52Hn with an Atheros AR9220, chipset and a power of 25 db in a/g/n band (!). But unfortunately i’ve found that is not supported in the 8.4 FreeBSD kernel , the one used in the latest version of M0n0wall (we’ll see that in the next section). It has also two BUS expansion with GPIO pins you can use for different things or projects (that’s the way- cool ) Anyway it’s a great router, a real must for who is working or just having  fun in IT.

m0n0wall

  • Software

M0n0wall ( http://m0n0.ch/wall/ )  is an open project based on FreeBSD,PHP (no shell scritps) with its entire configuration stored in XML format. Basically it’s is a great embedded firewall system tha can be putted inside a Compact flash less than 32 MB! (a coffee-machine 🙂 ) Has VLAN,WLAN supports, VPN , all types of configuration via web broswer, NAT , DHCP server/client and many other stuff. Here i’ll explain shortly on how you can get a LAN-LAN firewall (a firewall inside your Local Area Network) using M0n0wall to  isolate a DMZ (if you have some servers)   and get a firewalled  access to your PCs/Laptops. I’ve found two different SO images: one specifically created for the 4501 and the other on for 48xx models.The main difference is in the FreeBSD version ,4 for the 4501 and 8.4 for the last one. Both are woriking firne. You can find them here:

45xx –> http://www.sidmonitor.net/pub/net45xx-1.236.img

48xx  –> http://www.sidmonitor.net/pub/generic-pc-1.8.1.img

Once you have your image, you will have to burn it inside the CF. Mine was a 64 MB Kingstone You can use many windows tools, but for me the best remain dd on linux . So put inside the CF to a reader and check the device name with :

#dmesg

In my case was sdb. So procede to flash the image with :

#gunzip -c generic-pc-xxx.img | dd of=/dev/sdb bs=16k 

or for FreeBSD users:

#gzcat generic-pc-xxx.img | dd of=/dev/sdb bs=16k

When it has finished, put your CF inside the Soekris, take a console cable and connect it from the console port to your pc. If you are using windows , you can use putty too. The 4501 should have a default serial speed of 19200 with 8-1 data/stop bits and no parity. BUT in my case after resetting the unit it wans’t like that. So i spent a little to find the right baud :  57600.

First startup

Once the kernel has just finished loading. you should screen this screen :

ImmagineBefore proceding i’ll explain a possible LAN to LAN topology, but remember that you can use M0n0wall also for WAN evironment ! This is the project’s topology :

m0n0wall topologySo  i’ll use the WAN interface of the Soekris to connect to the first LAN of the Home router. But Let’s go one step/time. We were at the prompt of our new fresh M0n0wall  running on the 4501.Press 1 to select the interfaces. Normally the are prompted as sis0, sis1 sis2 (mine has 3 ethernet ports) respectively for eth0,eth1,eth2. For this example , i’ve assigned eth1 as LAN inetrfaces and eth0 for WAN interface leaving eth2 free without adding optional interface, no VLANs, and using of course the DHCP server. (it will ask to set a pool of addresses for it).Plug a straight-trough cable from 4501 WAN to a LAN port of Home router. Then another cable from LAN port to your PC. Next step, it’s important to set your LAN ip adress. Create it in another subnet than the home router one. For example, if my home LAN has a 192.168.1.0/24 network, i’ll set the soekris LAN address at 192.168.2.1/24. Set  your pc to DHCP or a static address if you want . Remeber in this last case,  to use the new default gateway of 192.168.2.1  As soon the process is complete, you can connect with a broswer to http://192.168.2.1 and start your configuration for WAN. Use the login/pass admin/mono (you can change them of course) and go to “system” – “general setup” . Put your DNS server pointing to the home router (in this case 192.168.1.1)  and be sure to not tick Allow DNS server list to be overridden by DHCP/PPP on WAN.  Here is an example :

dwdw

Then go to WAN section.Select a static route in type and then take a LAN address in the pool of home router network (in this case 192.168.1.0) with it’s default gateway (192.168.1.1). Remeber to no tick at the bottom of the page Block private networks cause we are assuming to use  a RFC 1918 address space  for this project.

You should ready to go and you should be ablet o ping all your LAN devices, including the DMZ zone and the cloud on internet.  I never heard of a M0n0wall firewall exploited.Securty comes when edit firewall rules to allow acces from outside. Assuming an attacker should enter in our LAN 1 enviroment of our home/office router and DMZ, if no rules are applied it would be blocked by our firewall to access our private LAN. I’ve tested also the R52Hn card  for WLAN. The card is recognized correctly by the SO , but it finish with a status 14  error. I’ve found that the probem is resolved in FreeBSD 9  but last  M0n0wall version is using 8.4 . So , Enjoy your Soekris 4501 with your new – free – firewall.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s