The Screaming Viking

Man, it has been a challenge getting the smoothwall working the way I wanted it to out in the sticks.  One of the initial problems I had was that ancient box I was using.  It was good enough for awhile, but it was starting to go to hell on me.  It was throwing disk errors sometimes, wouldn’t connect sometimes…one of the ports was going bad…it was just not a good situation.  I replaced that with a newer one, and that was working alright…but I wasn’t getting quite what I expected out of the QoS.

QoS for smoothwall worked decently in town..it never really did what I thought it should though.  What it actually does do on the smoothwall box is cut down the % of the overall bandwidth you have for each service.  If I set p2p on “low” it will give it 50% max of my total connection, “slow” looks to be about 25%.  This allows you to prioritize some traffic, but it isn’t exactly what I want.  When the connection is sitting idle, I’d like whatever is using pipe to use all it can…when the connection is used by something with more higher a priority it gets the majority of the pipe and the lower stuff gets cut back.  I did increase my headroom to 10%, this seems to have helped some but it still doesn’t do what I want.  I’ve done some reading about this and apparently to get QoS working any better on smoothwall is quite a challenge.  Some guys who know way more than I do about networking have hacked away at it and had some measure of success.  One of these guys has his own customized version of smoothwall…so I thought I’d give that a go.

Just like any admin, before I whacked the box I decided to make a backup *.iso of the machine.  I’d done this several times before on the old box and even restored it a couple of times without issue.  For this build I had the image I’d created right after I set it up completely and now this new one I created about a week later.  I burnt them both to disk and proceeded to load the new modified version smoothwall.  On the new hardware I’m using things load really fast…I was done going through the process in probably 15min (the old box would take an hour or so).  Fired it up, looked at the QoS tab…nadda, exactly the same.  The screen shots I was seeing something different.  I thought maybe it just worked better so I configured my port rules and gave it a go…nope exact same thing.

There is a module that smoothwall uses to detect the p2p traffic.  That isn’t work out well on mine.  Fine, no biggie, I hard coded the ports I use into the settings file, nope…still doesn’t throttle it properly.  I could live with the QoS the way it’s setup in smoothwall, but it would be really handy if it detected the ports properly.  This is something new after I moved.  The old box I had would connect to cable one via dhcp, when I brought it up to the farm the only change was to have it connect via PPPoE.  This caused a problem with the port forwarding rules as they are not in effect after a reboot.  For some reason I need to disable/enable them after the smoothwall connects.  I posted a question in a message board about this and the useful response was that the Red (external) IP needs to be established before port forwarding rules can take effect.  I assume this isn’t happening and things get borked.  I’m wondering if this is also happening with the QoS…but then why wouldn’t it work after I enable/disable it…like the port forwarding rules do.  It seems like it identifies all the other ports correctly…but not the p2p ports.  Even if I put those ports on a different heading (gaming for example) it doesn’t filter them properly.  I don’t get it.

I also had a problem installing this modded version that was going to make it impossible for me to use anyhow.  While it was loaded it failed to create the swap as well as subsequent partitions.  I dropped into the shell and commented out creating these partitions just to see if it was worth my time to monkey with getting it to actually install properly.  I did get it installed…but as I mentioned above things didn’t work anyhow.  There was also quite a few disk errors because of my hack…no biggie but if I was going to run this reliably obviously that had to be fixed.  The problem appeared to be that it didn’t drop the sda2 partition into /dev…I’m not sure why and didn’t feel like messing with it anymore.  I popped my restore disk in, rebooted…”can’t detect hard drive”…ta hell?  Reboot, same…power down, restart…same.  Pop in the disk for the modded install, finds the disk fine…but still doesn’t install properly.  I have no reason to expect there might be problems with my hd, but maybe there was.  I have moved recently, maybe things go banged around too much.  It was late so I didn’t feel like screwing with it.  The wife relies on the connect for work, so I do have a backup linksys router that will handle the network for us.  Even if I just used the linksys router and not a Linux firewall…I’d still have two of them.  If one goes to hell or something she needs to be back up quickly.  I don’t expect anything would, be I’ve got a couple of them so it’s not like I’m buying extra hardware.  My need for redundancy stops at the extra equipment I already have…

I downloaded a new smoothwall iso at the school and installed it the following weekend…everything installed fine and it’s up and running like I expected it to be.  It has the problems I outlined initially, but once they were identified it was fairly simple (albeit a little bit of a hassle) to work through.  I set up my smoothwall with Red (external) Green (trusted internal) and Orange (DMZ) interfaces.  The idea is to run the internal network off the Green interface and the wife’s work machine off the Orange.  I have some mods installed on the smoothwall for nicety enhancements, adzap, dansguardian, clamav…etc.  Anything on the orange connection should bypass these mods and just have a straight connection to the interwebs.  Also, this segregates her from my network.  Not that I’m worried about her machine, but if something from my network happened to get on her machine or she attached to my network storage without thinking about it I’d rather she didn’t get in trouble.  On thing I did find out though is that it doesn’t seem like she completely bypassed all of adzap.  I’m not sure exactly why this is…although, after thinking about it while I’m typing this it is possible that chrome had the page in question (a recipe site) cached and wasn’t trying to reload the images.  (the wife goes to this recipe site and some of the images wouldn’t load.  Found out a while ago that adzap was whacking them.  I fixed it, but after the reload I had to “refix” it)  When we went to si.com or the inforum, the ads loaded….so I should have looked in to this a little better, but it was late and I wanted it to just work for now.  I would have had to add that PASS rule for adzap as she might look at the site from an internal machine anyhow.

Why all this hassle?  Well, like I’ve said before…a linux firewall is about all that will handle all the connections I create…and because tinkering with things is what has given me the knowledge to get the jobs as I’ve gone though life.  Just today I called up smoothwall corporate to ask for pricing on their content filter app and hardware for the school.  I wouldn’t have known about these guys if I hadn’t used their open source software at home.  While I might have been able to find -something- that would have worked, the base knowledge I built on my own with content filtering can’t be a bad thing.

This weekend I decided to build myself a new firewall.  The obvious question is, “why would you need a firewall at all?”.  I released about a year ago that I was going to need something a little better than a consumer class router to handle my home networking needs.  It’s not that I do anything all that fancy or need more functionality, the little router was not able to handle all the connections I was creating via torrents.  It would last for maybe a couple of days then services would slowly die.  The dhcp server might crash, the wireless might go down, then blamo it would hard lock.  I’d have to reset the power and everything would be fine for a couple of days again..rinse repeat.  I decided to build a smoothwall on free hardware just to see if it’s something I would use.  Fast forward a year and as it turns out the smoothwall is something that was kind of handy to have.  The machine I have it on though it starting to show it’s age in a bad way.  It may or may not boot up completely after a power outage.  One of the NIC’s is starting to get finicky about the connection..the hard drive sounds like it’s on it’s last legs…it’s time for a new one.  On top of all that, it would be nice to have something a little bit faster.  I decided to repurpose my old desktop for the new firewall box.  This machine has a 2.2ghz athlon with 2gig of RAM and an 80ish gig SATA hd.  That should be enough horse power to run a firewall pretty smoothly.  I ordered a couple more NICs so I could configure things the way I wanted…and I was off and running.

There isn’t much to say about the install, smoothwall goes on really easy.  The only “tricky” part about it is knowing what NIC it’s talking about when it asks you what to use for the various interfaces.  I configured it and rebooted..good to go.  The difference between this machine and the old one is nothing short of incredible.  It responds so much faster, it runs quieter…it’s just an all around better box.  I mentioned in the last paragraph that I ordered 3 NICs.  I set one up as the “RED” (external) interface, one as the “GREEN” (internal) interface, and the last as the “ORANGE” (DMZ) interface.  What having the orange interface allows me to do is put a machine on that NIC and keep it segregated from my internal network as well as have it unaffected by the various mods I put on the firewall (content filter, adzapper…etc).  I’m going to connect the wife’s work machine into this NIC.  It isn’t going to increase her speed or anything like that, but it will allow me to say that any problems she is having are not caused by the firewall.  Of course that won’t stop her from asking me about every issue as soon as it comes up…

I dig on being able to create as many connections as possible and this firewall still handling them without a hiccup…and I take for granted all the ad’s the adzapper actually does take care of for me.  The content filter isn’t something I’d really need per se…but it keeps the wife happy that the kid isn’t seeing something we don’t want her too.  The 2nd install of smoothwall went much better than the first time I did it…I can’t imagine what the difference might be….

I carved out some time last night to setup the home network a little more to my liking.  I wanted to take the linksys wrt54g out of the equation as far as dhcp and dns are concerned.  A port failed on the router not too long ago, so I’m not sure exactly how much life is left in the old hog.  It seems like I’ve had this thing forever, I bought it not too long after the hacked firmware came out for it and it was demonstrated just what this little device was capable of.  I’m not even sure how long ago that was…I think I was in fargo at the time, I’m not sure.  6ish years ago?  I have been thinking for awhile that I should off load all of that on to the firewall and let this little device just handle wireless AP duties.

When I first setup the smoothwall it was pretty simple to get the DHCP server working fine, the problem is the internal DNS.  The smoothwall does not update it’s hosts file from the dhcp.leases file…or something like that.  There is another tab that lets you set static DNS assignments.  I added a host to this tab, saved everything out…nothing.  My internal linux server would not resolve the name.  Everything external worked fine…it was just the internal crap.  I jacked into the smoothwall host and that machine resolved the host I added without problems.  Back to the linux server..nslookup {hostname}, boom digs it out fine.  Ping {hostname} fail…wtf?  The host I added was a linux box so I tried to ssh in to it via host name…nothing.  Ssh via IP works fine…this is weird.  I’ve mentioned before if there is one part of my game that needs help the most in my daily work it’s the networking side…I just don’t know as much about it as I would like to. Read the rest of this entry »