Slicker
05-19-12, 04:07 AM
If you have an HP dc7700 and want to use it to build a multi-ISP Linux firewall, my advice is to:
1) sell it on eBay
2) use the money to buy a different computer
Why?
Our ISP provided us with a Cisco WRV210 router. It only supports one Internet connection. From the reviews, it looks like it will work like poo even with just the one. It's basically a $60 LinkSys router with "Cisco Business" on the label. For work , I really needed redundant robust firewalls that would support hundreds of concurrent users without dropping a connection and has VPN support since my business partner and I both work from our homes. After seeing researching Cisco wanted for their high-end firewall routers, I decided I could build a Linux firewall/router for a lot less money. 90% less to be exact.
So, I picked up a couple used HP dc7700 small form factor PCs. They may be used, but their CPUs are about 12 times the speed of the WRV210. I added 3 additional gigabit NICs to each for a total of 4 (outside, inside, web dmz, and wirelss dmz) and another GB or RAM. I figured I'd try using the new version of IPCop - the first major release in a number of years. Nope. It only recognized 2 of the NICs and wouldn't let me compile the required modules (drivers) to get the other two NICs to work. Next, Smoothwall. Then ClearOS. Then Fedora. Then Ubuntu. Oops, wrong version. Needed Ubuntu 32-bit. Still didn't work and since I trust Ubuntu about as far as I can spit, I decided to move on even though it did install. It just gave me hope that another distro may work as well. I think I went through about 9 different distros altogether. CentOS and FreeBSD were about the only ones I didn't try. They all either didn't recognize the NICs and wouldn't let me build the drivers, or Linux would install but hang on the first boot.
It turned out that the BIOS on the dc7700 was a major part of the problem. But after upgrading the BIOS, I still had issues with it hanging when booting or when starting Xwindows. After hours and hours of trial and error and turning off APIC and several other items, I finally got Debian 6 to install. Naturally, it only recognized two NICs. That meant getting the compiler, kernel headers, etc. in order to build the modules for the two unrecognized NICs. Once that was done, it was time to install and configure the Shorewall firewall. There are a couple reasons for that. First, I really don't know squat about iptables as I'd only worked with packet filters in the past. Second, Shorewall also handles multiple ISPs and can be set up to either load balance between them or use one as a primary and the other as a failover.
What I thought should have been an hour or so to configure Shorewall took another 10 hours since there was a bug in the Shorewall code that I eventually found out about via Google and had to patch the code because it was adding the default gateway for the second ISP multiple times which wouldn't work and then it would stop running. Then came the OpenVPN install. It couldn't find a required libary. I knew the library was installed. It turns out that the VPN software was using the wrong name for the libary (openvpn-auth-pam instead of openvpm-pam-auth). A symbolic link fixed that, but it took a couple hours to track that issue down.
I still have to configure the wireless-N NIC to act as an access point. Then I need to test all the firewall rules and the failover functionality. Once that is done, I need to clone it to the failover firewall machine since, with all the trial and error changes I made, I doubt I can remember exactly what I all had to do to get it working. That will have to wait until next week.
1) sell it on eBay
2) use the money to buy a different computer
Why?
Our ISP provided us with a Cisco WRV210 router. It only supports one Internet connection. From the reviews, it looks like it will work like poo even with just the one. It's basically a $60 LinkSys router with "Cisco Business" on the label. For work , I really needed redundant robust firewalls that would support hundreds of concurrent users without dropping a connection and has VPN support since my business partner and I both work from our homes. After seeing researching Cisco wanted for their high-end firewall routers, I decided I could build a Linux firewall/router for a lot less money. 90% less to be exact.
So, I picked up a couple used HP dc7700 small form factor PCs. They may be used, but their CPUs are about 12 times the speed of the WRV210. I added 3 additional gigabit NICs to each for a total of 4 (outside, inside, web dmz, and wirelss dmz) and another GB or RAM. I figured I'd try using the new version of IPCop - the first major release in a number of years. Nope. It only recognized 2 of the NICs and wouldn't let me compile the required modules (drivers) to get the other two NICs to work. Next, Smoothwall. Then ClearOS. Then Fedora. Then Ubuntu. Oops, wrong version. Needed Ubuntu 32-bit. Still didn't work and since I trust Ubuntu about as far as I can spit, I decided to move on even though it did install. It just gave me hope that another distro may work as well. I think I went through about 9 different distros altogether. CentOS and FreeBSD were about the only ones I didn't try. They all either didn't recognize the NICs and wouldn't let me build the drivers, or Linux would install but hang on the first boot.
It turned out that the BIOS on the dc7700 was a major part of the problem. But after upgrading the BIOS, I still had issues with it hanging when booting or when starting Xwindows. After hours and hours of trial and error and turning off APIC and several other items, I finally got Debian 6 to install. Naturally, it only recognized two NICs. That meant getting the compiler, kernel headers, etc. in order to build the modules for the two unrecognized NICs. Once that was done, it was time to install and configure the Shorewall firewall. There are a couple reasons for that. First, I really don't know squat about iptables as I'd only worked with packet filters in the past. Second, Shorewall also handles multiple ISPs and can be set up to either load balance between them or use one as a primary and the other as a failover.
What I thought should have been an hour or so to configure Shorewall took another 10 hours since there was a bug in the Shorewall code that I eventually found out about via Google and had to patch the code because it was adding the default gateway for the second ISP multiple times which wouldn't work and then it would stop running. Then came the OpenVPN install. It couldn't find a required libary. I knew the library was installed. It turns out that the VPN software was using the wrong name for the libary (openvpn-auth-pam instead of openvpm-pam-auth). A symbolic link fixed that, but it took a couple hours to track that issue down.
I still have to configure the wireless-N NIC to act as an access point. Then I need to test all the firewall rules and the failover functionality. Once that is done, I need to clone it to the failover firewall machine since, with all the trial and error changes I made, I doubt I can remember exactly what I all had to do to get it working. That will have to wait until next week.