It recently became critical for me to have multiple IP addresses on the ‘Red’ interface of my Smoothwall 3.0 Express firewall. After searching Google and the Smoothwall forums for help, and not finding any mention of pre-built plugins that do this for you nor finding any straight forward recipes / how-to’s either, I decided to go figure this out on my own.

There was some info on the Smoothwall forums that proved useful but I didn’t particularly like most of the suggestions of hard-coding every little possible combination and port forwarding. I wanted something that I could treat as a function that could be called easily so that eventually I could concentrate on what I wanted rather than how to make it happen. In addition, I wanted something that perhaps I could evolve to a plugin for others to use, so it could not assume things like which interface is the ‘Red’ one, what internal IPs were, and what external IPs should be.

Since my immediate need was only to do port-forwarding, what I created does that instead of one-to-one NAT or instead of opening up the internal IP to the full chaos of the internet. Before I get into the technical details, let me show you how you add a new “Red” ip address using my solution:

multi_ip 1 200.200.200.200 eth1 192.168.1.100 "53 80 443" "53"

which is simply a line that has the following parts:

(func name) (red interface alias) (new red ip) (internal interface) (internal ip address) (tcp ports to forward) (udp ports to forward)

To create my solution, I first started writing a new shell script (‘sh’) file (at /var/smoothwall/mods/multi_red_ip/etc/rc.d/rc.firewall.up) that would contain a function that I could call. Since Smoothwall already provides a source-able file that defines environment variables about the current configuration, I actually started off by sourcing that. Here’s the relevant lines of my script:

#!/bin/sh

# Source the standard smoothwall settings variables.
. /var/smoothwall/ethernet/settings

Next, I knew that I wanted to be able to debug my script without negatively impacting my smoothwall config, so I wanted a single line I could modify to determine if commands were being executed or not. In addition, I needed to see output on the console that showed me what commands would actually be executed once I stopped debugging my script. So I created a function I could call that would do both of these. It looks like this:

# Function to echo AND execute a command
run()
{
    echo "$1"
    #$1
}

Note that the first parameter passed has to be quoted for the echo to the console to work. And here I’m showing the second line of the function commented out (the leading # identifies a comment). The end result is that all arguments provided on a call to this function get printed to the console and, once I’m done debugging, I can remove the # and things will actually run.

Through trial and error, I then arrived at the following functional implementation to do the meat of the implementation of a new external ip with some ports mapped to an internal machine. Because I got short on time, I assumed that the internal ip’s port number that we forward to would be the same as the port number that we were forwarding from on the ‘Red’ ip. Here’s the code:

# Function to port forward a new external IP to an internal IP
multi_ip()
{
    EXT_INF=$RED_DEV:$1
    EXT_IP=$2
    INT_INF=$3
    INT_IP=$4
    TCP_PORTS=$5
    UDP_PORTS=$6
    echo "Adding external ip forwarding from $EXT_IP (on $EXT_INF) to $INT_IP (on $INT_INF)"

    run "  ifconfig $EXT_INF $EXT_IP broadcast $RED_BROADCAST netmask $RED_NETMASK"
    for PORT in $TCP_PORTS ; do
        run "    iptables -t nat -A portfw -p TCP -d $EXT_IP --dport $PORT -j DNAT --to $INT_IP"
        run "    iptables -I FORWARD 24 -p TCP -i ${EXT_INF%:*} -d $INT_IP --dport $PORT -o ${INT_INF%:*} -j ACCEPT"
    done
    for PORT in $UDP_PORTS ; do
        run "    iptables -t nat -A portfw -p UDP -d $EXT_IP --dport $PORT -j DNAT --to $INT_IP"
        run "    iptables -I FORWARD 24 -p UDP -i ${EXT_INF%:*} -d $INT_IP --dport $PORT -o ${INT_INF%:*} -j ACCEPT"
    done
    # DUE TO SW3.0 BEHAVIOR, WHERE IT MASQUERADES ANY SOURCE IP ON A RED ALIAS TO THE MAIN RED IP,
    # WE NEED TO EXPLICITLY INSERT THIS RULE AT THE FRONT.
    run "  iptables -t nat -I POSTROUTING -s $INT_IP -o ${EXT_INF%:*} -j SNAT --to-source $EXT_IP"
}

The first set of lines pull out the passed arguments and assign them variable names that makes the rest of the code easier to read. The first call to the run function calls ifconfig to create the interface alias. This call makes heavy use of the Smoothwall defined environment config variables so that I don’t have to provide them again. Next, I iterate through the list of provided TCP ports to forward and insert the appropriate iptables lines to (a) DNAT (destination nat) to the internal ip address, and (b) actually forward the packets out on the right network interface. If you read carefully you’ll note that I’m inserting the later at a specifc place within the FORWARD chain. This location was derived empirically and results in the rules existing just before the standard Smoothwall lines that log and reject packets that otherwise wouldn’t get forwarded. I then repeat a loop over the provided UDP ports and do the same thing. Lastly, I insert a SNAT to ensure that return packets from the internal IP get SNAT’d (source nat) to the right external ip. This iptables rule in particular is inserted at the front of the chain as indicated in the comment above it. Other rules are appended or inserted as far down the chain as possible to ensure they don’t negatively impact other rules you might have — i.e. I want the Smoothwall’s default config to take precedence over my custom rules just in case I made a mistake.

Lastly, to ensure my red ip’s were installed on a reboot, I added the following lines to my /etc/rc.d/rc.netaddress.up. I did these lines there because I noticed things weren’t always the same if I ran them from /etc/rc.d/rc.firewall.up. Since I’m adding port forwards, it shouldn’t matter security-wise if these aren’t added first thing anyway — the default behavior would be to ignore these packets if these lines hadn’t been added.

echo "Setting up extra RED IP addresses"
. /var/smoothwall/mods/multi_red_ip/etc/rc.d/rc.firewall.up

multi_ip 1 200.200.200.201 eth1 192.168.10.1 "53 80 443" "53"
multi_ip 2 200.200.200.202 eth2 10.1.1.1 "53 80 443" "53"

Our recent Tivo HD and HD-DVD purchases have caused us to need one more TOSLINK fiber-optic digital audio cable (because one of them, I forget exactly which, didn’t come with it and it only uses fiber-optic and not coaxial wire.) So I went on a search online. It turns out you can buy a 6 foot TOSLINK cable on Amazon for only $0.50 — thought I can’t seem to reproduce that when using their product referral so the product link near here takes you to the $1.50 version.

Now a fiber optic cable sends digitally encoded data. As a result, it either works or it doesn’t, there is no middle ground. Yet when I go to my local B&M stores, they only have products that advertise “oxygen free!”, “improved signal path”, “double insulated”, or some such quackery. To make matters worse, the cheapest I could find after trying 4 different stores was $12.99 and the next cheapest was $16.99! Holy cow that’s ALOT more than through Amazon.

Admittedly, you do pay a shipping cost when ordering online, but these things are light. The quoted shipping to me for the product above was only $2.98, making the total out the door to me a whopping $4.47. Or about 1/3rd the cost of the local B&M. Is this purely because of the retail markup that goes towards paying their rent and utilities? Or are they just trying to sucker consumers into paying more for something based on clearly bogus marketing claims? I think its a bit of both.

A friend asked me the other day how to get his Tivo to make it’s daily call through his home network. Besides simply getting on the network via a wired or wireless connection, the real problem most people don’t think about is that the Tivo uses a large number of network ports to call home. This causes a problem for a default Smoothwall Firewall install since it blocks outgoing connections to the majority of these ports when the requests come from your ‘Green’ network. This isn’t a bug on the Smoothwall’s part — it is a deliberate design decision made for enhanced security.

Most people think they only need to worry about inbound connections to their machines to protect them, and indeed most firewall devices you can buy do just that. But hackers have gotten smarter and they’ve realized they can avoid those blocks if they can trick you into installing software that initiates connections on your end, or trick you into directly initiating connections to their machines. Either way, then their machines can send whatever commands, read whatever of your data, etc. that they want over these connections. The Smoothwall is one of the few firewalls I know of that attempts to block these outgoing connections by default.

So if your Smoothwall only allows a few outbound connection types from your ‘Green’ LAN (things like e-mail, web, IM, multimedia, gaming, and remote access are allowed) then how do we allow a Tivo to connect to all those ports that it wants to? The easiest way is to ensure that (a) your Tivo always has the same IP address, and (b) then add that IP address to the list ‘Current Always Allowed Machines’ in your Smoothwall config. Here’s how I did these two steps…

1. Ensure the Tivo will always be at the same IP address.
   I have my IP addresses assigned by DHCP from the Smoothwall. So I wanted to tell it to always assign the same IP address to my Tivo. To do this, I first logged into the Smoothwall web console and went to the Services->DHCP tab. On that page, I edited the section entitled ‘Add a new static assignment’:
   1. Use whatever name you like for the hostname. I used ‘tivo-s3-1′.
   2. Put whatever you want in the description field. I put ‘Media room Tivo S3′.
   3. For the MAC address, enter the value shown on your Tivo’s network infomation screen. On my Tivo Series 3, this is shown on the Network Connection page (Tivo->Messages & Settings->Settings->Phone & Network) in the top right as ‘MAC ID’.
   4. For the IP address, enter a value that is outside of the DHCP assigned range shown at the top of the page. For example, if your start address is 192.168.1.100 and the end address is 192.168.1.200, then pick any value ending with a number less than 100, such as 192.168.1.50.
   5. Ensure that the enabled check-box is checked.
   6. Click the ‘Add’ button.
   7. IMPORTANT: You must also click the ‘Save’ button in the middle of the page (above the Add a new static assignment section.) If you don’t do this, then the DHCP configuration is not saved and restarted and thus your changes don’t take effect!
   8. Once that save operation is complete, go back to the Network Connection page (see step 3) on your Tivo and select the ‘Change network settings->Get automatically from a DHCP server (typical)’ settings. After a minute or two, the Tivo should report that it is now using new network settings and show an IP address on the Network Connection page that matches the one you entered in step 4.
2. Now you need to ensure that outbound connections from this Tivo are allowed through the firewall. To do that, configure the Smoothwall to allow all outgoing connnections from the Tivo’s new IP address.
   1. In your Smoothwall web config screen go to ‘Networking->Outgoing’ and scroll to the bottom.
   2. In the ‘Add always allowed machine’ section, set the IP address to the value used in Step 4 of the first instruction set. Type any value for a comment. Then ensure ‘enabled’ is checked and click the ‘Add’ button.
   3. Wait for the page to finished reloading, which indicates the settings are now in effect.

You should now be able to go to your Tivo and force a daily call or repeat guided setup and have everything work!

Yes, you could have explicitly listed the various ports as outgoing exceptions for the Tivo’s IP, but I’ve found that Tivo software updates occasionally install new features that need new ports. None of the upgrade process make it clear which ports these are, so I’ve just found it easier to allow all outgoing connections from the Tivos.

Recently, a friend who had read my blog asked me what I ran my Smoothwall 3.0 Express firewall on. I tried to explain the tiny, fan-less, little case which I use. I bought it with the CPU (VIA C3) and three built-in-NIC motherboard all as a single unit. I only had to add in a DRAM stick and a notebook sized 2.5″ hard drive — both of which I had lying around. But unfortunately, since I had set this up years ago (with RedHat Linux 7 originally!) I can no longer remember who made it or where I bought it from. So my explanation wasn’t really very helpful to my somewhat non-technical friend.

So, I thought I’d come home and look at the box to see who manufactured it and write it up in a post. Unfortunately, I can’t find any markings on the thing that lead to anything useful when I look them up on the net. “Light Embedded Systems” just doesn’t get me links to ITX cases and cpu/mobo combos when I search. I guess it was some generic combo box put together by a company that has since gone out of business? So, instead, I’ll post some links to NewEgg.com for currently purchasable items that come reasonably close to replicating what I’ve got and being as cheap as possible:

APEX MI-100 Black Computer CaseAPEX MI-100 Black Steel Mini-ITX Tower Computer Case 250W Power Supply (Approx $56)

JetWay J627F800-OC VIA C3 processor Mini ITX Motherboard/CPU ComboJetWay J627F800-OC VIA C3 processor VIA CLE266 Mini ITX Motherboard/CPU Combo (Approx: $80)

CORSAIR ValueSelect 512MB 184-Pin DDR SDRAM DDR 266 (PC 2100) Desktop MemoryCORSAIR ValueSelect 512MB 184-Pin DDR SDRAM DDR 266 (PC 2100) Desktop Memory (Approx $27)

Western Digital Caviar 40GB 3.5″ IDE Ultra ATA100 Hard DriveWestern Digital Caviar WD400BB 40GB 7200 RPM 2MB Cache IDE Ultra ATA100 Hard Drive (Approx $39)

Intel PWLA8492MT PCI PRO/1000 MT Dual Port Server AdapterIntel PWLA8492MT 10/ 100/ 1000Mbps PCI PRO/1000 MT Dual Port Server Adapter 2 x RJ45 (Approx $162)

All of this totals up to approximately $364 (not including tax) and gets you a machine that is more than capable of running as a Smoothwall 2 or 3 firewall. You’ll notice that almost a third of that cost is a dual-port network card (NIC). I’m recommending this because it allows you to have 3 physical LANs connecting to your firewall. Your internet connection, or WAN, will be one of them, your protected home network will be another, and the third would be for your wireless network — which is much more risky, security-wise, than a wired connection since anyone happening by within radio range can likely hack in and get at your protected home network if it isn’t firewalled off. Or the third could be a de-militarized zone (DMZ) where you can loosen external access blocks to allow yourself to run servers from home without too much risk of exposing your critical data and home machines to the world. In a Smoothwall-world these interfaces are known as red, green, purple, and orange respectively.

If you leave out the dual-port NIC card from Intel (I have a hard time believing there aren’t cheaper cards but I can’t find one on NewEgg to link to) and instead go with a single ported card, that probably drops the total cost down to about $225 (again not including tax) and means you’ll do just fine assuming all you want is red and green LANs. Note that there isn’t really too much need to buy gigabit networking for this since, generally, only one of the LANs you’re inter-connecting is gigabit to begin with. Certainly my internet connection isn’t; nor is my wireless. If you go the DMZ route and you frequently access those servers from your home network, then perhaps it might pay off to have gigabit networking between those LANs.

BTW: Yes, you can buy a quad-ported NIC instead of the dual-port one and thus have up to five LAN’s on your firewall, but those cards are even more expensive and the people interested in that sort of need are probably capable of figuring it out on their own.

EDIT 2008.02.17: Forgot to point out that this post provided the links I said were upcoming when I wrote the Living With A Smoothwall post.