Ultimate Linux Router

Discussion in 'Other Operating Systems' started by muzzymurray, Jun 30, 2008.

  1. muzzymurray

    muzzymurray Member

    Joined:
    Aug 16, 2003
    Messages:
    433
    Location:
    Perth
    Ultimate Linux Router
    ---------------------------

    Hi guys, I have been thinking for a while about setting up a linux router as my ADSL router and have finally taken the plunge. While I know that there are some custom build distros for this sort of thing (for various reasons) I am going to try and setup the entire thing on ubuntu server.

    I am going to try to use this as a bit of a journal to get advice and give others a change to provide input. Also, if anyone else out there is interested in doing something similar, feel free to ask questions of me.

    My existing network used a Netcomm NB5 as a modem in bridged mode. A Cisco Pix 501 firewall provided PPPOE and firewalling. I had this setup because a few years ago I was pretty into Cisco networks and it was half functional, half educational. The Cisco Pix firewall will no longer do as it cannot do, IPv6, QoS, SIP/Asterisk tunneling, IPSec tunneling or webserving.

    I have had a linux server for a while that has simple done plain NFS, sharing a 500GB storage drive. My new setup will basically consolidate as much functionality into one box as possible. I am hoping that it will do:

    Networking:
    • PPPOE [Done!]
    • NAT [Done!]
    • IPv4/IPv6 dual stack
    • Dual Radio 802.11g and 802.11a Access point (Not possible sue to lack of PCI slots)
    • QoS and traffic shaping [Done!]
    • IPSec tunnel

    Applications:
    • Squid Cache [Done!]
    • NTP Server
    • DNS Server
    • Ubuntu local repository [Done!]
    • VoIP server: SIP/AIX (Asterisk)
    • NFS [Done!]

    The hardware that I am going to use is:
    • AMD Sempron 2800+
    • 512 MB of RAM
    • 4 GB Sandisk Compact Flash (For a low power boot drive)
    • 500GB storage drive
    • 100 Mbit onboard lan
    • 1 Git PCI card
    • 2x MiniPCI Intel PRO 2915 ABG

    I Will be editing the section above with further details and asking questions separately below to keep things clean
     
    Last edited: Jun 24, 2009
  2. OP
    OP
    muzzymurray

    muzzymurray Member

    Joined:
    Aug 16, 2003
    Messages:
    433
    Location:
    Perth
    First question, does anyone know of anywhere that you can get half height ADSL PCI cards that work with linux. I have had a bit of a google and heard some info about a Sangoma card but I am not sure that they make them anymore. Otherwise I will unfortunately have to deal with continuing to use a seperate adsl modem connected through ethernet
     
  3. rockofclay

    rockofclay Member

    Joined:
    Nov 10, 2002
    Messages:
    1,524
    Location:
    Melbourne, 3056
    Hi there. I tried the same thing a while back with Vector linux. I found that the linux community is not very open to helping people with running a desktop as a server role, and found it hard to achieve the goals I was after (bandwidth monitoring and limiting by ip).

    Good luck, I'll keep an eye on this thread

    Have you thought of just getting a basic adsl modem and running it through a second network card in the pc?
     
  4. wilsontc

    wilsontc Member

    Joined:
    Jan 1, 2004
    Messages:
    334
    Location:
    Melbourne

    Just stick with your modem. There are (were?) cards out there, but are crazily expensive due to no demand.

    You can always duct tape the modem to the side of the case :)
     
  5. OP
    OP
    muzzymurray

    muzzymurray Member

    Joined:
    Aug 16, 2003
    Messages:
    433
    Location:
    Perth
    @wilsontc and rockofclay

    Yeah I thought that might be the case, I will probably just stick with my modem then.
     
  6. the-enigma

    the-enigma Member

    Joined:
    Mar 18, 2002
    Messages:
    1,728
    Location:
    BrisVegas
    Depends on your definition of "desktop as a server role".
    If you're looking for GUI apps to help set up DNS/routing/etc, then yes you generally are out of luck. Those things are generally done via CLI, and if you want a GUI tool then you'll have to create one first.
    If you're just using a desktop distribution but want to run servers on it, then generally all config files are the same across the various distributions and it won't matter, as long as you are capable of editing config files.

    Of course, if you have issues actually installing the various bits of server software then yes, you'll generally be palmed along to your distribution's web page.
     
  7. 4wardtristan

    4wardtristan Member

    Joined:
    Apr 9, 2008
    Messages:
    1,181
    Location:
    brisbane
    just go clark connect

    does brilliant qos/bandwith limiting at home for me

    perfect tf2ing whilst dud family bitorrents whatever they feel like

    proxy also saves a fair bit of bandwith per month

    does ipv6

    has support for asterisk(sp?) or freepbx something along those lines

    but yes i searched for ages for something like this and this has simply amazed me, and some :thumbup:

    edit:and by "just go clarkconnect" i keep your modem in bridge and yeah you know the rest..
     
    Last edited: Jun 30, 2008
  8. Biterphobia

    Biterphobia Member

    Joined:
    Jan 20, 2006
    Messages:
    113
    although you say perfect tf2ing, I ask; by how much does your ping differ from when your router is prioritizing the tf2 and bittorrent traffic, compared to a tf2 ping when on your network with no other downloads/uploads going at it.

    my cheap router with a bad qos implementation manages to keep tf2 at around 300-350ms when it would otherwise be at 900+.
     
  9. 3Toed

    3Toed Member

    Joined:
    Oct 7, 2005
    Messages:
    134
    Location:
    Sydney, Australia
    There's a Viking ADSL2 PCI card.

    I bought one and am running it in my m0n0wall box. The way the card works is it appears to the OS as another network card so all you need to do is check that the OS you're using supports that particular chipset. There's doco on the site I linked.

    The card itself can act as the modem where it authenticates to the ISP or as a bridge so the OS does the authentication. I've gone with the latter so I can configure the PPPoE stuff in m0n0wall.

    It's a half height card but the end plate is full height. You'll need to mod it or find another half height end plate and mod it accordingly. Personally, I took off the end plate and run the card "naked". It doesn't move around so I figure its safe.

    Yes, the card costs about as much as a router does but you have 1 less device and 1 less power brick to muck around with, and with the right OS you get so much more options than an off the shelf router.
     
  10. yanman

    yanman Member

    Joined:
    Jun 4, 2002
    Messages:
    6,600
    Location:
    Hobart
    muzzymurray what about running an emulated cisco router on your ubuntu box :) that way you get all the advanced features and an interface that you might be more familiar with. dynamips and pemu (PIX emulator) will do it

    that Viking card looks cool, but the data-sheet doesn't mention Annex-M. I'm wondernig - maybe you could just buy the cheapest plain Annex-M router around (that's reliable), disassemble it and mount it inside your PC powered from the 12V or 5V rail ;) Configure it in bridge mode and pass the cable out and in to one NIC
     
    Last edited: Jun 30, 2008
  11. round

    round (Banned or Deleted)

    Joined:
    Apr 7, 2007
    Messages:
    15,474
    Location:
    /pol/
    ill watch this thread, i want to see what you make.


    been thinging about doing this, with a massive file sever as well.
     
  12. yanman

    yanman Member

    Joined:
    Jun 4, 2002
    Messages:
    6,600
    Location:
    Hobart
    I'd love to try this with an Intel atom-based system, or a VIA ITX etc. These CPU's are definitely more than enough for the tasks of a software router, firewall, VPN terminator, proxy, intrusion-detection system and more.
     
  13. round

    round (Banned or Deleted)

    Joined:
    Apr 7, 2007
    Messages:
    15,474
    Location:
    /pol/
    yeah, well routing isnt cpu intensive,

    and an atom sounds like a good idea if buying new, may consider that :)
     
  14. yanman

    yanman Member

    Joined:
    Jun 4, 2002
    Messages:
    6,600
    Location:
    Hobart
  15. OP
    OP
    muzzymurray

    muzzymurray Member

    Joined:
    Aug 16, 2003
    Messages:
    433
    Location:
    Perth
    Sold! Buying it now. Thanks. That was the general Idea, get rid of all my separate devices and concatenate them all into one device.

    As some people have said an atom based PC (ultimate low power, Built in Gbit Ethernet and decent performance) would be perfect for something like this but for now I will just try to reuse my server.

    In response to the suggestions to just use a prepackaged distro like clarkconnect, this project is going is partially motivated by the things that I will learn. Hence I want to be trying IPv6, solid state boot drives et cetera.

    Thanks for the replies
     
  16. OP
    OP
    muzzymurray

    muzzymurray Member

    Joined:
    Aug 16, 2003
    Messages:
    433
    Location:
    Perth
    After a lot of thinking I decided against getting the Viking ADSL2 PCI card. The reason was because:

    a) It didn't do annex m
    b) I already had a modem that I could use which was reliable and did Annex M.
    c) I only have 3 PCI slots, 2 will be taken up with wireless cards and the other was a Gbit PCI card. Had I got the ADSL PCI card my machine would no longer be able of doing Gbit speeds.

    Thus far I have got basic router functionality
    - ADSL - ppopeconf :
    - DHCP - dhcp3-server
    - NAT/Firewall - Simple script (see below)

    Code:
    # Enter the designation for the Internal Interface's
    INTIF="eth1"
    
    # Enter the NETWORK address the Internal Interface is on
    INTNET="10.0.0.0/24"
    
    # Enter the IP address of the Internal Interface
    INTIP="10.0.0.1/24"
    
    EXTIF="eth0"
    
    EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
    
    /sbin/depmod -a
    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_conntrack_irc
    /sbin/modprobe iptable_nat
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_nat_irc
    
    echo "    Enabling IP forwarding..."
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
    
    echo "    External interface: $EXTIF"
    echo "       External interface IP address is: $EXTIP"
    echo "    Loading firewall server rules..."
    
    UNIVERSE="0.0.0.0/0"
    
    # Clear any existing rules and setting default policy to DROP
    iptables -P INPUT DROP
    iptables -F INPUT
    iptables -P OUTPUT DROP
    iptables -F OUTPUT
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -F -t nat
    
    # Flush the user chain.. if it exists
    if [ "`iptables -L | grep drop-and-log-it`" ]; then
       iptables -F drop-and-log-it
    fi
    
    # Delete all User-specified chains
    iptables -X
    
    # Reset all IPTABLES counters
    iptables -Z
    
    # Creating a DROP chain
    iptables -N drop-and-log-it
    iptables -A drop-and-log-it -j LOG --log-level info
    iptables -A drop-and-log-it -j REJECT
    
    echo -e "     - Loading INPUT rulesets"
    
    #######################################################################
    # INPUT: Incoming traffic from various interfaces.  All rulesets are
    #        already flushed and set to a default policy of DROP.
    #
    
    # loopback interfaces are valid.
    iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    
    # local interface, local machines, going anywhere is valid
    iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
    
    # remote interface, claiming to be local machines, IP spoofing, get lost
    iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
    
    # remote interface, any source, going to permanent PPP address is valid
    iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
    
    # Allow any related traffic coming back to the MASQ server in
    iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    
    #  OPTIONAL:  Uncomment the following two commands if plan on running
    #             an Apache Web site on the firewall server itself
    #
    #echo -e "      - Allowing EXTERNAL access to the WWW server"
    #iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j
     ACCEPT
    
    
    # Catch all rule, all other incoming is denied and logged.
    iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
    
    
    echo -e "     - Loading OUTPUT rulesets"
    
    #######################################################################
    # OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
    #         already flushed and set to a default policy of DROP.
    #
    
    # loopback interface is valid.
    iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    
    # local interfaces, any source going to local net is valid
    iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
    
    # local interface, any source going to local net is valid
    iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
    
    # outgoing to local net on remote interface, stuffed routing, deny
    iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
    
    # anything else outgoing on remote interface is valid
    iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
    
    # Catch all rule, all other outgoing is denied and logged.
    iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
    
    echo -e "     - Loading FORWARD rulesets"
    
    #######################################################################
    # OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
    #         already flushed and set to a default policy of DROP.
    #
    
    # loopback interface is valid.
    iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    
    # local interfaces, any source going to local net is valid
    iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
    
    # local interface, any source going to local net is valid
    iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
    
    # outgoing to local net on remote interface, stuffed routing, deny
    iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
    
    # anything else outgoing on remote interface is valid
    iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
    
    # Catch all rule, all other outgoing is denied and logged.
    iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
    
    
    echo -e "     - Loading FORWARD rulesets"
    
    #######################################################################
    # FORWARD: Enable Forwarding and thus IPMASQ
    #          Allow all connections OUT and only existing/related IN
    
    iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
    
    # Catch all rule, all other forwarding is denied and logged.
    iptables -A FORWARD -j drop-and-log-it
    
    # Enable SNAT (MASQUERADE) functionality on $EXTIF
    iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
    
    echo -e "    Firewall server rule loading complete\n\n"
    
    The pppoeconf was surprisingly easy. I would actually say that setting up adsl on a Linux device is easier and quicker than a web based GUI and definitely easier than a Cisco router/firewall.

    The next step is to move all of the parts of the OS that are constantly being changed to the 500 GB hard disk. The theory is that CF has a limited number of read/write cycles. Therefore I will be moving /var/log to a section on the 500GB hard disk.
    Two questions, firstly, can anyone here think of another part of the OS that I should also try to move to the 500GB drive? Secondly, what is a good manner to be implementing this task. I want to avoid doing this while the OS might be writing to the disk. I am thinking:

    1) get into single user mode
    2) copy the relevant directories to parts of the 500GB hard disk
    3) create symbolic links to those directories

    Following this I plan to implement some QoS on the router. I have been reading through a couple of guide online however a lot of them seem like very basic QoS implementations. Does anyone know if it is possible to do a Cisco style, CBWFQ (Class Based Weighted Fair Queue) with WRED (Weighted Random Early Detection)?
     
    Last edited: Jul 1, 2008
  17. OP
    OP
    muzzymurray

    muzzymurray Member

    Joined:
    Aug 16, 2003
    Messages:
    433
    Location:
    Perth
    Just a little update. Using the methods described above I have managed to move my swap partition to the larger hard disk drive. In addition, I have also move /var/log/ to the hard disk. This should substantially reduce the number of constant writes to the compact flash drive.

    The next step is to further explore QoS in Linux. At the moment I think that what I want can be achieved using hierarchical token buck HTB but I need to do a lot more reading until I can properly understand it.
     
  18. yanman

    yanman Member

    Joined:
    Jun 4, 2002
    Messages:
    6,600
    Location:
    Hobart
  19. Icidic

    Icidic Member

    Joined:
    Mar 17, 2007
    Messages:
    562
    Location:
    Brisbane, Queensland
    Might I suggest that you investigate using a Shorewall firewall implementation as apposed to raw IPTABLES rules as it's a lot easier to setup for multiple network interfaces, still has the power of the CLi\config files and also is very modular when it comes to upgrades and other plugins. When it boils down, it's just an interface to IPTABLES anyway, but I think it's easier to configure.
     
  20. OP
    OP
    muzzymurray

    muzzymurray Member

    Joined:
    Aug 16, 2003
    Messages:
    433
    Location:
    Perth
    Ok so the reason that I have not done this is because I would like to do everything by hand and better my Linux/networking skills in a whole bunch of areas a bit more. It would be a valid point for the average joe that just wants something to work though.
     

Share This Page

Advertisement: