I recently bought two Soekris 4501 routers for two different projects: the first to build an NTP server (ehy.. what a news!) and the other one could be useful as a good small business/home firewall . I’ll begin by this last one. The Soekris 4501 is the first (and oldest) Series of high-performance router from Soekris Company sited in Scotts Valley, California. (http://soekris.com). this magnificent router is equipped with an AMD ElanSC520 to 133 Mhz (which has the special ability to have an internal clock timer – as we shall see much more deeply in the next NTP project) 64 MB PC100 SDRAM, three ethernet ports of National Semiconductor supporting 10BaseT and 100BaseT. RJ–45 Connectors at board edge with built in LED‘s for link status.For OS , it mounts compact external flash (in this specific case, I used a 64 mb) and supports various operating systems including FreeBSD, OpenBSD, Linux and many others. This version that i found has also an integrated wireless card MikroTik RouterBOARD R52Hn with an Atheros AR9220, chipset and a power of 25 db in a/g/n band (!). But unfortunately i’ve found that is not supported in the 8.4 FreeBSD kernel , the one used in the latest version of M0n0wall (we’ll see that in the next section). It has also two BUS expansion with GPIO pins you can use for different things or projects (that’s the way- cool ) Anyway it’s a great router, a real must for who is working or just having fun in IT.
M0n0wall ( http://m0n0.ch/wall/ ) is an open project based on FreeBSD,PHP (no shell scritps) with its entire configuration stored in XML format. Basically it’s is a great embedded firewall system tha can be putted inside a Compact flash less than 32 MB! (a coffee-machine 🙂 ) Has VLAN,WLAN supports, VPN , all types of configuration via web broswer, NAT , DHCP server/client and many other stuff. Here i’ll explain shortly on how you can get a LAN-LAN firewall (a firewall inside your Local Area Network) using M0n0wall to isolate a DMZ (if you have some servers) and get a firewalled access to your PCs/Laptops. I’ve found two different SO images: one specifically created for the 4501 and the other on for 48xx models.The main difference is in the FreeBSD version ,4 for the 4501 and 8.4 for the last one. Both are woriking firne. You can find them here:
Once you have your image, you will have to burn it inside the CF. Mine was a 64 MB Kingstone You can use many windows tools, but for me the best remain dd on linux . So put inside the CF to a reader and check the device name with :
In my case was sdb. So procede to flash the image with :
#gunzip -c generic-pc-xxx.img | dd of=/dev/sdb bs=16k or for FreeBSD users: #gzcat generic-pc-xxx.img | dd of=/dev/sdb bs=16k
When it has finished, put your CF inside the Soekris, take a console cable and connect it from the console port to your pc. If you are using windows , you can use putty too. The 4501 should have a default serial speed of 19200 with 8-1 data/stop bits and no parity. BUT in my case after resetting the unit it wans’t like that. So i spent a little to find the right baud : 57600.
Once the kernel has just finished loading. you should screen this screen :
So i’ll use the WAN interface of the Soekris to connect to the first LAN of the Home router. But Let’s go one step/time. We were at the prompt of our new fresh M0n0wall running on the 4501.Press 1 to select the interfaces. Normally the are prompted as sis0, sis1 sis2 (mine has 3 ethernet ports) respectively for eth0,eth1,eth2. For this example , i’ve assigned eth1 as LAN inetrfaces and eth0 for WAN interface leaving eth2 free without adding optional interface, no VLANs, and using of course the DHCP server. (it will ask to set a pool of addresses for it).Plug a straight-trough cable from 4501 WAN to a LAN port of Home router. Then another cable from LAN port to your PC. Next step, it’s important to set your LAN ip adress. Create it in another subnet than the home router one. For example, if my home LAN has a 192.168.1.0/24 network, i’ll set the soekris LAN address at 192.168.2.1/24. Set your pc to DHCP or a static address if you want . Remeber in this last case, to use the new default gateway of 192.168.2.1 As soon the process is complete, you can connect with a broswer to http://192.168.2.1 and start your configuration for WAN. Use the login/pass admin/mono (you can change them of course) and go to “system” – “general setup” . Put your DNS server pointing to the home router (in this case 192.168.1.1) and be sure to not tick Allow DNS server list to be overridden by DHCP/PPP on WAN. Here is an example :
Then go to WAN section.Select a static route in type and then take a LAN address in the pool of home router network (in this case 192.168.1.0) with it’s default gateway (192.168.1.1). Remeber to no tick at the bottom of the page Block private networks cause we are assuming to use a RFC 1918 address space for this project.
You should ready to go and you should be ablet o ping all your LAN devices, including the DMZ zone and the cloud on internet. I never heard of a M0n0wall firewall exploited.Securty comes when edit firewall rules to allow acces from outside. Assuming an attacker should enter in our LAN 1 enviroment of our home/office router and DMZ, if no rules are applied it would be blocked by our firewall to access our private LAN. I’ve tested also the R52Hn card for WLAN. The card is recognized correctly by the SO , but it finish with a status 14 error. I’ve found that the probem is resolved in FreeBSD 9 but last M0n0wall version is using 8.4 . So , Enjoy your Soekris 4501 with your new – free – firewall.