LAN/Internet protection with a Firewall, by Karl Shoemaker

Placement is your decision where you wish the components. Place them in a logical order with ease of physical access in event of maintenance. Neatness is nice, however, don't get all tied up (pun intended) with those plastic ties and all the cables, to a point you cannot move or trace anything without cutting them, later. For installing the software, the documentation comes with the downloading of the Smooth Wall Express "package" from their web site, which has all the instructions on how to do this. They give you the option to create either a (2-disk) floppy installation set, or a (single) CD install disk. Even though the Author prefers the former (old school) the later was chosen to be compatible with "peers"/friends/helpers for the very first installation in 2005-ish.

Starting with the ISP's access point (left picture) is a microwave (incoming) link from their "head end" office, then repeated to your local neighbor, usually on an Omni-directional antenna, with the usual 802.11b or g protocol. From that signal you can use a grid dish (right picture) or when real close even a whip on the back of the radio (or PC card) will work. For this project the ISP's antenna is about 300 yards away on a 100-foot water tower. Because of being real close multi-path distortion and path loses were not an issue. In fact, a little whip antenna was all needed to connect, however, the Author choose a little more RF "headroom" with a grid dish antenna, from an old TV down converter from a discontinued TV provider. Since the antenna did not have any electronics in it, therefore, was passive, it was a simple matter of mounting and pointing it to the ISP antenna.

If you are fortunate to already have a radio and antenna in your possession, it should be able to "see" a signal from the ISP access point. If you are satisfied with the signal proceed with the next steps. Otherwise, if you don't have the radio equipment or need to purchase it, now would be a good time to call the ISP that serves your area. If you are using the same equipment as the Author's you might tell them you'll be installing your own equipment (whether you purchased it from them or elsewhere) and will be running PPPoE (Point-to-Point-Protocol-over-Ethernet). At this time they should also be asking you any other pertinent questions. Be sure to establish the type of support you may need, in case of problems. This is probably the major issue with any ISP. So find out what you are getting for your money, when you sign up. If you forget/fail to communicate this, with understandings, you may end up "paying" for that mistake at a later time. House calls are usually expensive and sometimes not convenient to the homeowner. It's up to you.

From the (grid dish) antenna low loss (LMR-400) cable ran to inside where a rack of LAN equipment with an "N" type coaxial termination. White outer jacket was chosen for easy identification in a cable group on the tower or inside routing of wires. This type of coax is suitable for shorter runs, like this 30 footer to the radio. The little signal loss this type of cable run is more than made up in the gain of the antenna. Plus, the fact this model of radio runs a +18 dbm will insure a good path/connection to the ISP's access point. A +18 dbm radio is plenty of power for even long distances; more than a mile, line-of-sight. Take this into consideration if you are far away from the access point.

You can see the (white) coax enters the rear of the radio, which has a reverse TNC connector. Since the end of the coax was terminated with a "N" male, an order to Mouser Electronics (part number 523-242131RP) for a reverse adapter was needed to get it back to the "normal" N type connector for the coax to plug into.

The radio takes an external (wall-wart) power supply from standard 110 AC. Its on UPS back-up power. More on UPS later. It also has an ethernet (modular) jack in the back. The front has some nice indicator (LED) lights for status and troubleshooting the system. It's small and fairly economical (About $150).

From the radio, is a cross over cable, going to the red NIC on the firewall. The other side of the firewall's green NIC is connected with a straight though cable to a 4-port switch, which allows four PCs to be connected on this LAN. In fact, if you run out of ports, and/or have a long distance to run you can install additional switches along the way. The Author's system has one switch (a cheap router strapped as a switch), with the green side connected, a local PC, another run to another room, plus a long run into the house. In the house is a second 8-port switch with some "home runs" to various rooms for present and future PCs to be operated on the internet.

The front of the radio has three indicators: power, LAN and WAN, the latter being the IPS's access. Normally (while connected) all three should be lit. A switch, to the left of its distributes the (protected) traffic from the firewall, which we will cover, later.

It's a good idea to support the firewall, radio and switch on U.P.S. power for brief outages, especially on weekends. The "hungry" devices, such as monitors don't need this since most of the system will be accessed remotely on their separate equipment at another location, such in the home. It's also a good idea to label most of the AC cords, so you don't unplug the wrong one, at the wrong time. For black (cords and such) surfaces, the Author found a silver felt marker, instead of the (miserable) black ones you find everywhere. For the firewall site, it's good to keep a few spares of cables made up for future expansion, testing and troubleshooting.

The UPS the Author choose is APC brand and model 350. Sold locally around $40, plus tax. You should measure (or at least know the specification) the AC current draw for each device supported by the UPS. In 2010 the Author found the following equipment on that UPS:

The UPS under normal conditions puts out 120 volts; running on battery the output went up to 123 volts.

Therefore, under battery condition with both drives being accessed the total equipment draw is 87.33 watts. It's also a good idea to "test" the system with UPS support by pulling the source AC power. The load test performed passed at 2 minutes, however, it's expected the UPS will run for 8 minutes before being exhausted; based on the factory chart . This time is only for brief power bumps; anything expected longer should utilize a larger UPS.

Remember that NICs and the radio are like devices. Therefore to "test" with they need a cross over cable between them. Switches, Routers and Hubs are also like devices between themselves. Having stated this, remember two other items. One, the two groups of devices just described are unlike between them. Therefore, if you are connecting any of these devices with the NIC, radio, etc, between them you generally can use a straight through cable. Two, sometimes Switches, Routers and Hubs have an auto-configuration which is a double-edge sword. Yes, you don't have to remember whether to use a cross-over cable, but you do not learn or remember this arrangement. Too many features may end up confusing you when doing trouble shooting. So be ready for the unexpected. For more information on these types of cables read over the page about Ethernet Cables on this site.

Most devices have either a single green light (LED) or a combination of green and amber ones. Some devices even have red indicators. They all mean indication of the working status, as to assist you in figuring out where a problem might be. Read any documentation that may come with the products for the correct meaning of these indicators. If there's no documentation you may have to spend extra time in "inventing" your own manual and notes for future reference.

The rear of the Firewall's PC will have two NICs, a "red" and "green" one, for the internet side and (protected) LAN side, respectively. It's a good idea to label each NIC (as shown) and mark each cable to avoid grief later, when working on the system and changing out equipment. Hardware seems to be a cause of big time-consuming and frustrating repair issues on LANs. For example, the Author and a friend spend several hours trying to get a second (backup) firewall box on line. The next day the Author discovered the wrong type of cable was being attempted and discovered a cross over cable was needed between the radio and red NIC. (like devices). Much more discussion is covered on this subject in the Ethernet Cable article on this site. The center picture shows an example of a good site, containing a Firewall box, a Windows® (98SE) box, with their own keyboards, one mouse and monitors for on-site on-line testing. At the top of the rack is the radio and switch, which we covered earlier.

If you have a large bench to lay things out, helps when building up a firewall box and deciding which components to use, such as the NICs. NICs come in many brands and models, either in PCI or the old ISA slot type. During the "setup" Smoothwall Express will automatically identify most PCI cards and a few ISA cards, so take that into consideration when selecting them. Even for the older ISA cards you still can manually configure them, it just takes longer. One other point recently discovered was that certain NICs don't "like" to work well with certain others NICs in the same PC. For example, using a mixture of card slot types don't always work. When an ISA and a PCI NIC is installed in the same (firewall) PC SmoothWall would "talk" to them on boot-up, however, the green one did not seem to communicate with another PC (and it's NIC). When both red and green NICs where the same slot type (PCI or ISA) things worked fine, even with different models of NICs. Going through half a dozen NICs took half the night, however some "spares" where found this way and where put boxed up for that "doomsday" when lighting or some other culprit might strike.

The Smoothwall installation will identify the MAC address for each NIC, however, you can find out that most of the NICs have labels on them with this address. A MAC address identifies a physical device for LAN management. The left is a PCI slot type, with an ISA on the right. Notice the newer and older board technology has the components of opposite sides for each type, along with the (obvious) board pin differences.

On the green side of the firewall, a (straight through) cable then can run into a switch to distribute the LAN for other devices at the site. From this site is a 300-foot run into the home. This connects to a second switch, shown here, for two reason. 1- after that long run the signals need a boost/buffering and 2-Several areas of the home need workstation/PC "drops" (connections), therefore, this 8-port model was locally purchased. Most of these switches run around $30 as of 2006. Again, it's a good idea to mark the cables so you know where they go, when troubleshooting something a year or two later.

Now that you've got your hardware installed, it's time to install the software. The quick install (pdf) file will get you going. Plus, a slightly different file may help as well.

From there you could paste the text to a plan text viewer (or file)if you wish. Follow the instructions. Keep in mind there's two parts to the setup. At this point, insert the CD in that new Firewall box you build up and get into the "setup" (BIOS) to choose the CD as the first boot-device. If this is not possible (older PC) you still have the option to create a floppy boot/install set. The document, just mentioned covers this. Save your BIOS changes and boot from the disk, following the prompts. This is done from the "console" or the local keyboard of the firewall PC. Answer the questions. Some of the choices you'll see on your screen are shown, here, but not all situations will be the same. Again, as said the documentation (above) covers this. Once you've installed SmoothWall, you'll reboot into the Linux O/S. During this time SmoothWall will not be able to "talk" to the red NIC, because that NIC has not yet been setup up to talk to the radio and the ISP. Therefore, you will not hear the (mid-pitched) "beep" from the red NIC. You will, however, hear a three (low-mid-high pitched) "beep-beep-beep", indicating SmoothWall is now talking to the Green NIC. At this point you could ping the green NIC from anywhere inside your LAN, as a test only. Also, now, the screen should show the command prompt for login, as shown in the left picture. Do so with the "setup" username and the password you choose during the installation of SmoothWall.

Once you get logged into the setup you'll see a series of graphical dialog boxes with choices. Follow the Quick Start manual. It comes with the SmoothWall package as a pdf file. A doc version is available at the link in the above paragraph as well. If you don't have the manual handy we can go over the rough areas. Most navigation is with your arrow and tab keys and space bar or enter to get there. First, get into "Networking", then "Network configuration type".

Select the "GREEN + RED", then "OK". Next get into "Drivers and card assignments". Normally SmoothWall automatically configures both NICs and list the MAC address for each one. If you are in doubt, go ahead and run the configuration, by selecting the "OK".

Configure each NIC (red and the green). You'll be asked how to obtain it. Most of the time do a "Probe". If the NIC type is listed in the SmoothWall install listing it will come up with a "suggestion" right away. Take the suggestion and do the same probe with the second NIC. If there's a problem, it will tell you no driver was found and give you the opportunity to manually search for the most correct one. This also indicates the problem we discussed earlier when you try to use mixed card slots types in the same PC.

After "OK"ing and "Done" etc, get back to the "Network configuration" menu and select "Address settings". These are the IP address you'll be assigning on a fixed bases to each NIC. SmoothWall has a default address for the "GREEN Interface" which works just fine for most LANs. The "Red Interface" addressing menu, needs to be set to "PPPOE". Then select "OK" to get back to the other menu. These two settings have to be correct, for the LAN to work, so pay attention to your selections.

The "DNS" menu can be left at default. The "DHCP Server configuration", however has to have the "Enabled" field activated. Use your tab key to get there, then your space bar to enable it. You'll see a star in that field when you do this. Then "OK" to get to the previous menu. Answer the questions, like "OK", "Done" to return the main menu.

The last part of the main menu is for setting passwords for three levels of access and/or firewall functions, such as logging on (remotely via a browser), shutting down the system or getting back into this setup menu. Select each one, "Admin", "Root", and "Setup" menus. We won't get into the debate of password and internet security in this article, just what works for you. The longer and more mixed characters (complicated) the passwords are is more secure; on the other hand is more time consuming to work with. When you are under stress and time is factor, take all of this into consideration. For obvious reasons, specifics are not discussed, here, or any other open public forum. Keep your sensitive notes in a safe place or memorize them. The worse that could happen if you forget then is having to re-install the Smoothwall software. After you've done this a couple times complete installation takes under an hour; at least it did for the Author. When you finish the initial setup and reboot you will see the login prompt at the command line, of the Linux operating system. At this point all the devices should be communicating with each other on your LAN. You can tell this by hearing some "beeps". More on this, in just a little while. Try pinging your firewall from another PC on your LAN. You can also ping between PCs on your LAN. Another nice feature is being able to transfer (even large) files between PCs and even share files and printers. However, you are not done, as you are not yet connected to the outside (red side/internet) world.

Now, get into the SmoothWall remote "setup". This is done from another PC with a browser on your LAN. And, just in case you were wondering and wishing, it's not (presently) possible to do this from the local SmoothWall keyboard (console), so you have to grab another operating PC. Assuming all your cabling is correct your second PCs NIC should be talking to the green NIC on the firewall. Remember all the discussion about straight and crossover cables, etc. Assuming you have green lights on all your NICs, switches and other devices on your LAN, you need to log into SmoothWall. Use the IP address that you pinged the firewall in the previous step, followed by a suffix at the end of the address. The manual will tell you all of this. This is normally no security risk mentioning this, here, since this is on the green side. A hacker on the "red" side (internet) should not be able to access the system with this address.

Once you've logged into SmoothWall click on the networking tab. You'll be prompted for the Admin's password, that you choose in earlier steps. Now, enter a Profile name. It could be anything such as the name of your ISP. Next, select the Telephony Interface, which is " PPPoE ". Also, check the two boxes; "Connect on SmoothWall restart" and "Persistent connection". This will save the pain of having to do it manually, later if and when the ISP goes down. On the fields marked "Authentication Username" and "Password" enter the information that you and your ISP decided on when signing up for the subscription. The picture examples are small for just a general idea of what you will see. That's pretty much all you need to change. Feel free to browse around on the many SmoothWall tabs to learn, however be careful and test any changes after clicking on the "save" button. It's a good idea to write down what you changed in case it causes a failure and you need to restore the original settings.

If SmoothWall did not already connect you, click on the "connection status" (upper right) and then click on "connect". It may take 20 or 30 seconds for the negotiation between your IPS and SmoothWall. During this time Smoothwall will electronically "ask" your ISP's server to assign it a dynamic IP address. Once this happens this address will identify you from the outside world (red side=Internet). This address assignment will stay with your firewall forever, unless the connection gets dropped for various reasons, such as ISP failure (it happens a lot; more than you know), power outage, or yourself working on the system, etc. This address is handy for ISPs to check on your connection status or someone that might want to trace (route) you and your equipment. However, it's also a good tool for (bad) hackers to try to damage your system. SmoothWall expects this and has protection against this type of malicious action. Occasionally, hackers might try port scanning and you hear the firewall's hard drive click (writing) each time. It's just rejecting and possibly logging those attempts.

At this point you should be connected to the outside (internet) world, and should be able to ping(see picture) outside sites and start surfing the web. Also from now on, whenever you power down the firewall you will hear a (low-pitched) "beep-beep", followed by a single (mid-pitched) "beep". It's only speculated (at this point) those beeps are indications SmoothWall is talking to each NIC on shutdown. Also, when you (now) boot up you will now hear a single (mid-pitched) "beep" indicating SmoothWall is talking to the red NIC then, shortly afterward, a three (low-mid-high pitched) "beep-beep-beep", indicating SmoothWall is talking to the green NIC. These beeps are not to be confused with the PCs BIOS "okay" beep at the very beginning of a boot. If you watch the firewall's screen you'll see lots of (Linux) messages screaming by. After a while you be able to catch a few and get clues on the health of your firewall. Linux is a very stable and reliable operating system. And SmoothWall express is very good, as well. The two make a great LAN/Firewall for internet protection. Remember to considered the (mentioned) U.P.S. for your LAN equipment such as your radio, switch and PC/firewall to protect those annoying brief power outages that the utility companies sometimes like to do.

It's unbelievable how much we get used to the convenience of these "appliances". When a piece of technology, such as this, fails, you'd think it's doomsday or something! ISPs do have technical problems, at least in the case of the Author's. It's not uncommon to get "dumped" like you did on the slower, dial-up connections. The causes could be complicated and very time consuming to find. The good news is most outages only lasts a few seconds. So let's starting thinking pro-actively (what a concept!!) about what-if scenarios, for future problems. Computers and electronic devices DO FAIL; accept it-- it's just a matter of time. That's what keeps us repair people in business ! For example, isn't it "great" when your most loved customer, your spouse, yells at you "my thing doesn't work", or slightly better, "my computer doesn't work" ? What that person is trying to say (in ignorance) is the internet connection is not working and their little world is crashing in. At best, it's an irritant. If you don't see a "connected" status within 5 minutes of start-up on the SmoothWall menu, this indicates a problem you might have with your settings, cabling, etc.

You may have to call your ISP for help. This is a good time to take a deep breath, take a valium or whatever, because you may be on the phone for a while especially if it's an automated system and/or a large company. Calling them may not give you much satisfaction, other than the (stupid, but polite) generic answer "we are working on the problem". Sounds familiar? (thinking of the telephone company.) Or better yet, that (stupid) recording "your call is important to us, please hold". This drives the Author nuts, so bring a drink or snack when you call for support. You might consider getting a telephone headset, or speaker phone, so you can do other things around the office while on-hold or waiting for something to happen. Another "trick" the Author does is by having two PCs in the working area. While one is being worked on by the ISP and you, the other is ready for other stuff.

Some ISPs do not do well with Linux. Either they do not like Linux, or are too embarrassed to admit they know nothing about this O/S. Therefore, the support person on the phone might start giving you real basic (and stupid) instructions, like "click on start, then click on....", etc, etc. You'll have to make a decision to either play along with this and make your own translations or tell them what you really are doing on your PC and risk them getting a down-founded, glazed over eyes and can't support you. One sign of this (communication) problem is long pauses from them, after you say something about what you've done. In some cases you may have to ask "are you still there?". Another suggestion is to "feel them out" during sign-up subscription on how much they know about such systems. The masses only know something about Windows products so be ready for that mentality. It's not the intention to bash companies; just remember what you are getting into and be prepared to avoid a frustrating time working with them during an outage.

When your ISP repairs the outage, SmoothWall should be able to handle this and get you logged back on line automatically. If not, your "customers" (spouse, etc.) can log in with the admin password to manual attempt a re-connection. Each time your are connected (auto or manually) your red side will be assigned a new (and most likely different) IP address. That's the dynamic IP addressing you've selected, due to your subscription with your ISP. However, if you wanted static IP address, that can be arranged as well with your ISP, then in the SmoothWall settings. Either way, a competent ISP should be able to "see" your red side/radio access point on their system, even remotely. Remember, the green side IP address will stay the same, and not be able to be pinged, accessed or otherwise seen by anyone on the internet side. This is the Firewall's security design. All these issues are good "testers" to see if your ISP is worth something for that 30-50 bucks a month you are paying them for the service. Remember not to burn your bridges, since they may be the only wireless provider around. Sometimes it takes great patience to deal with some of them and understandably it's hard to maintain a polite and positive attitude during an outage.

This is the end of the Fire wall article. Thanks most go out to several friends and associates helping the Author with the development and knowledge of such system. In return the Author hopes this article will benefit others out there, attempting the same thing. There's no reason to re-invent the wheel and go through what the Author did. You are free to pass this information anywhere, on a non-commercial basis, with acknowledgment of the Author.

 

 

Back to SRG tech page