Use Linux Project Router to set up a router.

Linux Router Project (LRP):

This project is based on Linux 2.2 kernel. Newer network cards typically do not supply Linux 2.2 kernel drivers, this project is on a "legacy track".

This tutorial demonstrates the detailed steps on how to build a low-cost, extremelyreliable, high-performance, industrial-strength, firewalland networkaddress translator for protectingand/or sharing PCs behind a cable modem or DSL modem inresidential, commercial or industrial settings.

This LRP firewall can handle multiple-client pass-through of MicrosoftPPTP-VPNand it has secure and encrypted remoteadministration capability when used in the optionalhard-disk or Compact Flash or IDE-ZIP disk mode.

How to transform an old  486 PC to a professional print server, see this page.

A miror of this LRP Site is hosted in Bucharest,Romania
The URL of the mirror is http://lrp.end.ro/

A mirror of this LRP Siteis hosted in Curitiba, Brazil (in Brazilian Portuguese)
The URL of the mirror is http://www.pracz.com.br/LRP/

Scope and purpose of this tutorial:
This tutorial is primarily intended for broadband DSL modem orcable modem.
Services that require dial-up or PPPoE [e.g. Deutch Telekom, Ameritech] is not supported here.
Other uses of this project include projects for highschool, Internet-wired and Internet-enabled hotel guest rooms, schools, libraries, small business officesand home offices (SOHO), telecommuting high-tech workers with ADSL orcable modem at home but need a Microsoft VPNconnection to the corporate head office, community centers, Internet café, forward-thinking conference centers and community centers, a Steamboat ski rentals lodge, forward-thinkingtourist information centers, gas stations, computer labs andclassrooms, high tech coffee shops andrestaurants (Starbucks, McDonalds, LasVegas airport, City of New York's public parks, etc. provide wirelessaccess functionally similar to this system) or shopping mall hot spots,forward-thinking airport waiting lounges, senior centers, ferries, bus stations or trainstations. You can also use the LRP project as a personal firewallin your office to block hackers.Building owners or tenants can use one IP address to be shared by alarge group of casual computer users, even in differentbuildings. Hopefully, some day in the future, broadband Internetaccess will become ubiquitous like electricity.

Previous experience with Linux or Unix is not needed.

The software used to build this firewall is free, under various Open Source licenses,it only costs you time to assemble them together.
The hardware used to build this firewall is a surplus PC (a 486-66 MHzor low end Pentium PC) plus 2 inexpensive Ethernet network cards.
Commercial firewalls (price ranging from $40 US to several hundredthousand dollars with more advanced features and capabilities) areavailable for purchase and is becoming very popular.
Click here forsamples of commercial firewalls.
Many people build LRP for the learning experience and the satisfactionof "do-it-yourself".
If you have lots of money, or work for large corporations orgovernments, buy Cisco PIX firewalls instead. Don't save money bybuilding something useful.

If you collect all the necessary information and hardware, youcan do this project in one or two evenings. Acookbook-recipe approach is chosen so that youcan build a robust Linux firewall / share-box by following thestep-by-step procedures; you don't need to know the cryptic Unix orLinux commands, although in the process of building the box, you maylearn a few commands.

Disclaimer

Hardware: A surplus 486-66MHz PC ora low-endPentium PC. (motherboard with 2 empty PCI slots ispreferred, but not necessary) 16meg RAM. Click here to find how much RAM you have. For extremely demanding applications, try a 500 MHz Celeron/Pentium with two Intel PRO/1000 MT Gigabit Ethernet cards.

Two (2) Ethernet network adapter cards: note PCI cards are much easier to setup and less trouble-pronethan ISA cards. Click here to see a full listof Ethernet network cards supported by this project. Caveat: Do not combine an ISA NE2000 and a PCI NE2000on the same motherboard. The software drivers get very confused. Samples of network cards supported by this project: PCI - Novell NE2000 or clones (use ne2k-pci driver) PCI - Realtek 8029 chipset (Novell NE2000 clones) (use ne2k-pci driver) PCI - 3COM 3c590, 3COM 3c900,  3COM 3c905 (use 3c59x driver) PCI - Realtek 8139 chipset, except the newer 8139D, many 10/100 economy cards use thischipset. PCI - D-Link DFE530-TX+, D-Link DFE-538TX (use rtl8139 driver) PCI - D-Link DFE530-TX (use via-rhine driver) PCI - DEC/Intel21x4x chip; 21x4x-compatibleEthernet cards (use tulip driver) PCI - US Robotics USR7900 (use tulip driver) PCI - Sohoware SFA110 (use tulip driver) PCI - Netgear FA311 or FA312 (use natsemi driver) PCI - CNET Pro200 with Davicom DM9102 chipset PCI - Intel Pro/100 cards (Intel EtherExpress Pro/100) PCI - Intel Pro/1000 MT cards (1000 Mpbs, or Gigabit, Ethernet cards) ISA - 3COM 3c503, 3c507, 3c509,3c515 ISA - SMC 8416 (SMC EtherEZ) ISA - SMC 8013 (WD 8013) (Western Digital 8013) (SMC-Elite 16) (SMC690) ISA - Intel EtherExpress 16 (i82586 chipset) ISA - Intel EtherExpress Pro/10 (i82595TX), Pro/10+ (i82595FX) ISA - D-Link DE-220  (Novell 2000 clone) (use ne driver) ISA - Allied Telesyn AT2000 (Novell 2000 clone) (use ne driver) ISA - Novell NE2000 or clones; Realtek 8019 chip-based (use ne driver) ISA - SMC 1660T, Acer ALN-101. (Novell NE2000 clones) (use ne driver) Confused, or in a rush to get started, hereare some suggestions. If you don't have any old network cards, ask some geeky friends whomight. Sometimes you find reasonably priced legacy cards on eBayauctions. If you must buy new PCI network cards for the project,consider these moderately priced cards: Realtek 8139 chipset (usertl8139 driver), D-Link DFE530-TX (use via-rhine driver), Novell2000 compatible Realtek 8029-based PCI card (use ne2k-pci driver),Netgear FA311 or FA312 (use natsemi driver), US Robotics USR7900 (usetulip driver), Sohoware SFA110 (use tulip driver). If you must buy new PCI network cards and you have lots ofmoney, consider these top-tier Ethernet cards: 3COM 3c905 (use3c59x driver), Intel Pro/100 series (use eepro100 driver), Intel PRO/1000 MT (use e1000driver), or generic cards based on the DEC/Intel 21*4* chipset(use tulip driver). Caveat: These fast 10/100 Mbps full-duplexcards may be too fast to talk to some models of cable modems with onlya half-duplex 10 Mbps Ethernet design. Terayon cable modem is one ofthose older designs .

 

Preparation:
Identify the MAC addresses AND set up two network cards
Why is the MAC address so important ? It is because you need tocorrectly identify which card is connected to the outside world (eth0)and which card is connected to the internal network (eth1), see this diagram. With some DSL or cable modemcompanies, you need to know the MAC address of the card (eth0) which is connected to theirDSL/cable modem.

Identify the MAC addresses and set up your network cards

Identify the MAC address: See this page on how to identifyMAC address of the network cards. PCInetwork cards: There is no need to setup PCI cards. ISAnetwork cards setup: (typically it is time consuming setting up ISA cards due to IO or IRQconflicts ) 3c503: use the on-card jumpers, card A IO=300, mem=C800; IRQ=3 (use diskette) use the on-card jumpers, card B IO=310, mem=CC00; IRQ=5 (use diskette) 3c509: Use this detective disk to set the cardsIO, IRQ and disable its PnP. card A set IO=300, IRQ=10; if you have the PnPversion, set it to non-PnP card B set IO=320, IRQ=11 or 5; if you have thePnP version, set it to non-PnP 3c515: 3c515 is a 10/100 Mbps PnP-ISA card. You cannot disable the PnP on a3c515. Fortunately the 3c515 software driver is also smart to knowthat. No setup is needed for 3c515. NE2000-ISA clones, Realtek 8019 chip: (Novell2000 clone) Use this detective disk or manufacturers"setup disk" to set up the cards: card A set IO=300, IRQ=10 or 12; set to non-PnP (jumper-less) mode card B set IO=320, IRQ=11 or 5; set to non-PnP (jumper-less) mode D-Link DE-220, Allied Telesyn AT2000, KingstonKNE2000 (Novell 2000 clones) Use this de220 to setup the cards: card A set IO=300, IRQ=10, choose some memory block and disable PnP. card B set IO=320, IRQ=11 or 5, choose some memory block and disablePnP. Intel EtherExpress 16 Use this softset2 to set up the cards: card A set IO=300, IRQ=10, choose some memory block and disable PnP. card B set IO=320, IRQ=11 or 5, choose some memory block and disablePnP. Intel EtherExpress Pro/10 and Pro/10+ (i82595TX and i82595FX) Use this softset2 to set up the cards: card A set IO=300, IRQ=10, disable PnP. card B set IO=320, IRQ=11, disable PnP. SMC 8416 EtherEZ Use this ezstart to setup the cards: card A set IO=300, IRQ=10, choose some memory block and disable PnP. card B set IO=320, IRQ=11 or 5, choose some memory block and disablePnP. SMC 8003/8013 EtherCard Plus family cards, use on-cardjumpers to set: card A IO=280, IRQ=3 card B IO=300, IRQ=5 Notes: 1. On some motherboards, IRQ10 or 11 causes conflict,check with this table. 2. Optional, Advanced: if you choose IO addressesother than 300 and 320, see thispage for more information

Creating a boot floppy for LRP, step by stepprocedure

(1) Install winzip andwinimage on your PC.
(Win 95/98/NT Windows ME/2000/XP)

(2) Download and save this base image.

(3a) Download and save the appropriate networkcard driver package
[the network card driver package is called modules.lrp]:
First, click here to see a listof Ethernet cards and the name of the driver.
If you use 3C503 [IO 300 mem C800 IRQ 3; IO 310 mem C800 IRQ5],
download and save this file.
If you use 3C507 (ISA), download and save this file.
If you use 3C509 (ISA), download and save this file.
If you use 3C515 (ISA), download and save this file.
If you use 3C590 or 3C900 or 3C905 (PCI), download and save this file.
If you use AMD PCNet32, download and save this file.
If you use CNET Pro200 Davicom DM9100 chipset, downlaod andsave this file
If you use NE2000 (ISA) clones, download and save this file.
If you use NE2000 (PCI) clones, download and save this file.
If you use Realtek 8029 based PCI cards, download andsave this file.
If you use Realtek 8019 based ISA cards, download andsave this file.
If you use Intel ISA EtherExpress 16, download and save this file.
If you use Intel Pro/10 or Pro/10+ ISA, download andsave this file.
If you use Intel Pro/10 PCI, download and save this file.
If you use Intel Pro/100, Pro/10+ PCI, download and save this file OR this file
If you use Intel PRO/1000 (Gigabit, or "gige"), download andsave this file.
If you use Realtek 8139 based cards (except 8139D ), download and save this file.
If you use D-Link DFE-530TX (via-rhine chipset), download andsave this file.
If you use Linksys LNE100TX, download and save this file
If you use cards with Tulip chipset,download and save this file.
If you use cards with Broadcom 4401 chipset, download and save this file.
If you use US Robotics USR7900 cards, download and save this file.
If you use Sohoware SFA110 cards, download and save this file.
If you use cards with oldTulip chipset, download and save this file.
If you use SMC EtherPower SMC 8432, download and save this file.
If you use D-Link DFE-550TX (Sundance chipset), download andsave this file.
If you use SMC EtherEZ SMC 8416, download and save this file.
If you use SMC EtherPower II (SMC 9432), download and save this file.
If you use Asound Myson 800 (mtd803, mtd891), download and save this.
If you use Netgear FA311 or FA312 (DP83815 chip), download this file.
If you use Netgear's older FA311 (Realtek 8139 chip), downloadand save this file.
If you use Western Digital 8003/8013 (SMC 8013),download and save this file.
If you use cards with National Semiconductor DP83820 chipset,download and save this file.
If you use Realtek RTL8169 chipset (gige), download and save this file.
If you use NE2100 card, download and save this file.
If you use 2 different types of cards, download and save this file and click here
If you are not sure what card you have, try this file, and then come backto check this page after you have done step (6) below.

(3b)
If you are connected to your ADSL or cable modem service provider use dynamicIP address, download and save these 2 configuration files: etc.lrp and syslinux.cfg(right click on syslinux.cfg and choose Save);
If you are connected to your ADSL or cable modem service provider use static IPaddress, download and save these 2 configuration files: etc.lrp and syslinux.cfg (right click on syslinux.cfg and choose Save).

(3c) Invoke winimage, drag and drop the base image (from step 2) init. You should see something like this.Drag and drop the appropriate modules.lrp, (step 3a) etc.lrp(step 3b) and syslinux.cfg (step 3b) into the winimage window.Winimage should now contain 12 files and it should looksomething like this. Save your newlyassembled image [at the winimage window, click File... Save].

(4) Insert a new, high-quality, blank floppy disk indrive A, click Disk...Write to create a LRP boot-floppy.
Don't use bulk or old floppy diskette. If your floppy drive is old andworn out, consider buying a new one, LRP uses a 1680K formatteddiskette, it is quite demanding. If you see a lot of error messagesduring boot time, it is most likely due to a bad floppy diskette or aworn out floppy drive.

(5a)
Shaw cable modem users (with Terayon modems) - jump tostep (6).
Rogerscable modem users (with Terayon modems) - jump to step (6).
DeltaCable modem users - jump to step (6).
QuébecVidéotron cable modem users - jump to step (6).
NTL (UK)Internet cable modem users - jump to step (6).
Comcast cable modem users: jump to step (6).
Insightbbcable modem users: jump to step (6).
TimeWarner Road Runner cable modem users: jump to step (6).
SwedishComhem cable modem users: jump to setp (6)

(5b)
(some) Coxcable modem, OptusNet:
find out your identification codein preparation for step (10) below.

(5c)
Telus, Cox, Telewest, Charter Comm, Maryland.
Find out the MAC addresses ofyour Ethernet cards, in preparation for step (10) below.

(5d)
Users with static IP address, proceed to step (6).

(6) Before unplugging yourexisting Windows computer that is connected to the cable modem or ADSLmodem, it is advisable to release the IP address first. Click here on how to release the IPaddress. Power up the firewall with the LRP boot-floppy in drive A.The first-time and second-time boot up may take 5 minutes (apparentlystuck on syslogd) due to the lack of proper IP address.

login in as rootthen type q to drop to the # prompt.
Type ifconfig eth0 and ifconfig eth1to identify the MACaddresses.
This checklist may be helpful for doingMAC-address detective work.
Optional advanced: if you use 2different types of network cards, seethis page.

(7) It may be advisable to power-down/power-upyour cable/DSL modem to purge its memory of existing Ethernet card'sMAC address. Sometimes you may have to releasethe IP address to your ISPbefore powering up the LRP. Power off your LRP firewall.

(8) Connect eth0 to the cable modem/DSL,connect eth1 your internal network hub (seethis diagram). Power up the cable modem/DSL modem until it becomes stablethen power up the LRP firewall.

(9) The majority of residential ADSL andcable-modems use "dynamic IP", in that case, proceed to step(10). If for whatever reasons,you have "static IP address", jump tothis page.

(10) If you use dynamic IP, you mayhave to jump through some bizarre hoops to keep your DSL orcable modem company happy. Here is how to jumphoops.
If you use static IP, proceed to step (11).

(11) ConfigureDHCP (on the LRP) for your location:
(a) collect the proper information,then (b) edit a configuration file on LRP.

(12) Reboot the LRP firewall.
Re-set your original PC for use behindthe new LRP firewall.
If you have "software firewall" installed on that PC, it should allowDHCP traffic so that the PC can obtain an IP address from the LRP box,unless you choose to use "static IP" address on that PC.

(13) To configure other PCs in your internalnetwork, see this page.
If you have "software firewall" installed on those PC, it should allowDHCP traffic so that the PC can obtain an IP address from the LRP box,unless you choose to use "static IP" address on that PC.

(14) Surf happily everafter.

Acknowledgements.

If you have troublegetting LRP to work, see thistrouble-shooting guide.
If you use "dynamic IP", after each time your ISPchanged your IP address, you need to restartseawall, see this page.

(15) You may want to disable the power-savefeature of the BIOS so that the CPU doesnot go into low-power mode (which degrades the performance of the LRP)when there is no traffic going through the firewall. Thanks to PaulSorichetti of Ottawa, Ontario, Canada for discovering this point.

(16) Optional, Advanced: If you have static IP addressor quasi-staticIP address AND your "ADSL or Cable Modem User Policy" allows you to runa web server, e-mail server, NetMeeting orpcAnywhere server from your inside network, see this page on "port forwarding".

(17) Optional, Advanced: If youwant to build a LRP firewall that boots fromIDE hard disk or Compact Flash or IDE-ZIP drive, see this page.

(18) Optional Advanced: If you want to telnet to your LRP firewall, see this page.

(19) Optional Advanced: If you want your LRP to use local time zone or use SNTPto synchronize to time servers, see this page.

(20) Optional: You may want to remove the hard disk to reduce powerconsumption and reduce noise.

Disclaimer

 

References:
(NAT) Network Address Translator: RFC 2663and RFC1631
Address Allocation for Private Internets: RFC 1918
The MD5 Message Digest Algorithm RFC 1321
Issues and thoughts about the lack of end-to-end datagram transparencydue to NAT: RFC 2775
Home Network Security by CERT.
ip_masq has vulnerability, howto reduce vulnerability of ip_masq weakness.

Technical synopsis:
The project is based on the LRP 2.9.8 using kernelsource 2.2.19-1-LRP.linux.tar.gz from
http://www.tux.org/pub/distributions/tinylinux/linux-router/dists/2.9.8/ ,added John Hardin's ip_masq_pptp kernel patch for Microsoft PPTPpass-through, and CoRiTel Sofia Project (Rome, Italy) ip_masq_h323kernel patch for Netmeeting pass-through. Compilation isdone using a Linux. The LRP kernel can be compiled on a current Debian Linux,but the LRP binaries (executables) are compiled on a Debian (slink).

MSN Messenger This LRP firewall does not have akernel patch to allow Microsoft MSN Messenger clients behind the NATfirewall to make voice calls or send files (outbound).
This is due to protocol problems in MSN Messenger.
http://support.microsoft.com/support/kb/articles/q278/8/87.asp

Others:
House-keeping items

© 2000-2010 Nicholas Fong, e-mail

Last revised  August 23, 2010

Burnaby,B.C. Canada  

Disclaimer

License

Change Log