The build-it-yourself firewall router


For several years a D-Link DSL-504 has been my ADSL router. It wasn't a  bad little box despite coming with crippled UK firmware that was incompatible with network gaming on my PS2 (Burnout Takedown anyone??). Fortunately a firmware flash using the Aussie revision breathed new life and functionality into the thing although even then it had its problems. DSL signal acquisition could sometimes take up to fifteen minutes and, more recently, it hasn't been saving changes to firewall rules that I've applied so functionality that works one day doesn't the next.

I'd finally had enough and set about thinking what I could do about it. I could blow sixty quid on a new DSL router, but the trouble with that is they all seem to come with WiFi these days and I'm happy with my WiFi network using my existing two Belkin access points which work together in a wireless bridge configuration. Besides, I might not be sticking with DSL as I'm toying with the idea of going back to a cable connection in the future.

So what I required was...

...a cheap way of interfacing my home LAN with the Interweb;
...(relatively) sophisticated firewall & routing capabilities (good customisation, robust security, logs & stats, etc.);
...technology that could be switched from DSL to Cable mode for future proofing.

The answer was a self-build Linux firewall project. There are a few of them out there with SmoothWall and IPCop appearing to be the front runners. Now, I admit this isn't something new to me and I'd built a SmoothWall box out of an old 486 back in 2002 when I first had broadband installed. In fact, Nigel and I supplied several SmoothWall boxes to some of the small business installations we supported before we pulled the plug on R3UK Limited in 2006 and up until then they had all worked solidly. You don't need to know a thing about Linux to build and maintain a SmoothWall or IPCop firewall, you simply download the ISO, burn it to a CD, then boot your chosen computer from the CD and follow the prompts to install and configure.

SmoothWall and IPCop will install a Linux filesystem onto your chosen PC (wiping any other filesystem already in place) turning the PC into a dedicated firewall/router and once installed it can be administered from a web interface. Standard i386/i686 hardware can be used, the only deviation from a bog-standard PC being the need for two networking interfaces, one for connection to your LAN, the other for connection to your WAN. The WAN connection may be through a dial-up modem, ISDN Modem, USB Modem or, more likely, a second network card. The crappy diagram below shows how this dedicated Linux firewall fits in with my home broadband connection.

Block diagram



The dual network card configuration is what I'm going to go with and I'm using two Realtek 8039 PCI Ethernet cards which run at 10MB/s each. Why, you might ask, am I not using 100MB or Gigabit Ethernet cards?? Well, 'cos I happen to have two Realtek 8039 cards hanging around in by box-of-spare-tat-I-thought-I'd-never-use-again, because I know the 8039 chipset is compatible with SmoothWall/IPCop and because this is an interface with my broadband DSL connection which, at the time of writing, runs at a sappy 1.5Mbps. Anything faster would just cost me money with no performance benefit.

To interface one of my network cards with my ADSL line I required an Ethernet DSL modem. I didn't want to spend a significant amount of money as I may not stick with DSL in the long term and I didn't want anything too flashy. Straight no-frills Ethernet DSL modems are hard to come by these days with most low cost (or freely supplied) modems being USB and most Ethernet equipped devices having wireless whistles and bells which I didn't want. Back in the day Nige and I used to supply the D-Link DSL-300T which in 2003 was a fifty quid plain Ethernet modem that used to work quite well. For this project I managed to obtain a second hand one in exchange for about twelve of my hard earned pound coins.

DLink 300T



Armed with my network cards and modem, I now needed a suitable PC to shove 'em in. In the past I'd used old 486, Pentium I and Cyrix boxes but these days the attic is littered with Pentium II and III machines. My original choice was a 266MHz PII Dell last used as a dedicated Unreal Tournament server in 2007. These days however it seems to be suffering from BIOS rot – a kind of Alzheimers for computers where it forgets it's internal settings (even with a change of battery).

The next candidate was a 450MHz PIII that I had built myself back around the Millennium. A clonking great case, quad speed CD ROM drive, 256MB RAM and 100MHz bus made up this monster which had, in a previous life, acted as a low end backup server for this website (among other things).

Computer before



Still, bags of room inside so no problem fitting in the two network cards (arrowed green)...

Network Cards



This machine wasn't quite ready to use as it was though. It was too noisy and thirsty for its new life as a 24/7 firewall. The quickest way to reduce noise and energy consumption was to ditch the hard drive in favour of a CF card from a (now dead) digital camera fitted to the IDE bus using a converter that cost about four quid.

CF Card



The CF card is 2GB in size although such capacity isn't required for this application and 500MB would have been more than enough. With no moving parts, the CF runs silently. Data transfer is slower than with a hard drive but it's still over spec for this requirement.

Although replacing the hard drive with a CF card lowered the annoying whirring of this machine, by far the worst culprit for noise output was the CPU fan. I figured I could get away without this if I under clocked it from 450/100 to 300/66, especially as this machine has an unusual power supply fan arrangement whereby the fan exhausts directly over the CPU rather than out of the case as shown below.

Airflow



Under clocking the machine to it's minimum speed further reduced power consumption by 2 Watts while 300MHz is still more than fast enough for this job. Removal of the CPU fan left the PSU fan as the only moving part and it runs quietly enough so as not to be annoying.

What I was after from this installation was an all-in-one box so I wanted to fit my D-Link ADSL modem within the PC case. Handily enough, the D-Link DSL-300T modem is about the same width as a 5.25in drive so I would be able to slot it into one of the expansion bays of my chosen PC. The problem now was how to power the modem which required a 9V AC input while the cabling inside the PC provided only 5V and 12V DC.

Popping open the case of the 300T revealed that immediately after the power input socket were four diodes acting as a bridge rectifier. Not only that but my Voltmeter showed that the input from the power adaptor was more than 9V and in fact, the output of the rectifier was at over 11V DC. Great news - I could just take my 12V DC line from inside the PC and splice it directly to the rectifier output thus powering the modem from the PC power supply rather than using the AC transformer supplied with the modem.

It worked too.... briefly. Unfortunately the modem kept losing synchronisation with the DSL signal. I suspect (and this is just a guess), that the 50Hz AC input frequency is also used for internal timing and is tapped off from the power input jack to circuitry elsewhere in the modem before it goes into the rectifier. My conversion was therefore enough to power the device but left it 'free running' without an accurate time source to keep it in sync with the DSL line. This would also explain why D-Link's DSL products have AC inputs while their Cable routers which connect to cable modems via Ethernet and don't interface directly with a transmission line have DC inputs (or at least, this is true for the models I've come across).

Sadly this meant I had to undo my DC conversion and power the modem using it's own transformer. This involved fitting an internal AC socket tapped from the computer's AC input within the PC case.

Mains Socket



Not pretty I know, but unfortunately necessary if I were to keep to my all-in-one-box solution. Still, with the modem now happily powered and holding its synchronisation, I was able to slot it into one of the 5.25” drive bays.

Computer and modem



Now for the fun stuff....

It just wouldn't be a cool project unless there were some flashing lights involved somewhere. The front of this computer was too beige and plain for my liking so to make the thing look more dramatic I ended up bolting a bloody silly blue strobe light to it.

Indeed, I've been wanting to find a use for the strobe since pulling it off an old burglar alarm about ten years ago. I didn't know what else to do with it short of mounting it onto the roof of my car (probably illegal) and driving around impersonating a Police officer (definately illegal). It looks pretty stupid but it's there to flash annoyingly at anyone who shuts off the power to the DSL modem by hitting the 'kill' switch mounted on the front of the PC. The kill switch was spliced inline with the output of the modem transformer so I could power cycle the modem independently of the PC whereas before that was fitted I had to shut down the whole box any time the modem needed a quick kick.

Front Panel



In the above piccie we have:
A – The modem kill switch
B – Silly strobe light (flashes when kill switch is used)
C – A rectangular cut out in the 5.25” blank so the modem status LEDs can be seen when it is finally pushed into place in the computer casing
D – A packet of mushrooms left carelessly in shot

Also fitted was an alarm buzzer salvaged off an old PABX ('A' in picture below) and some circuitry ('B') to pulse the buzzer and light a red LED when the kill switch is used (as if the strobe ain't enough).

Buzzer



... and here it is sitting on top of the Evil Server's rack in it's finished form....

Finished?



... or is it..??

The last problem was that the puny status LEDs inside the 300T modem were quite hard to see yet I wanted to know at a glance whether things were working smoothly. To improve the indicators I opened the 300T, desoldered the LEDs and soldered replacement LED's from a circuit board pulled out of a dead Dell keyboard on to flying leads. I also shorted out the resistors that were in place inside the 300T that were wired to each LED causing them to be underpowered and, therefore dimmer than they could be.

LED board



The LED board was then hot glued into place on the back of the 5.25” blank.

LED board



Finally the rectangular hole was filled by the clear plastic insert also salvaged from the dead Dell keyboard that used to house and focus the LEDs in their former life.

Finished!



There. Much clearer indication of whether the thing has lost signal or not! You may also spot in this picture that there is a keyboard and monitor sitting on top of the box however these are not really required once it has been built as administration can be performed via a web interface.

That web interface makes operation and monitoring a breeze. Logs, stats and graphs are all available to view. Both Smoothwall and IPCop can act as your DNS and DHCP servers and they support SSH and VPN access.

I particularly like the traffic graphs which can store up to a years worth of info and is jolly useful when hosting a website as I am. After monitoring my graphs for the last few days I know this site is at it's quietest at 6AM UK time (ignore the blank space in the graph below which is an indicator that the firewall was powered off between 13:00 and 16:00 while I fitted my new indicator LEDs).

Graphs



The end result then was not the prettiest of gadgets but it's certainly a powerful and flexible solution to meet my routing and firewall requirements. Should I decide to ditch ADSL, all I have to do is unplug the internal DSL modem from the network card it is connected to and hook that network card up to a cable modem. No reconfiguration of the box is required at all.

It's another way of doing something useful with scrap technology!