Version: 3.2
By: Lucien Wells.
Using: SmoothWall 0.9.9 (final)
Special thanks to:
i. Alex Webster for coauthoring the HTML, and
ii. Mathew Frank for modifying BPALogin (and putting up with me
:).
SmoothWall (aka. Smoothie): http://www.smoothwall.org
Telstra Bigpond (Advance) Cable: http://www.bigpond.com/broadband/
As the availability of internet access, and in particular broadband connections, has spread, people have increasingly wanted to share their bandwidth available to across private LANs (local area networks). Furthermore, due to the permanent and semi-permanent nature of most speedy connections, the need for security has increased. Enter SmoothWall, a firewall and gateway Linux appliance.
While SmoothWall works straight out of the box for most broadband connections, a certain amount of customisation is needed to get SmoothWall to work with Telstra Bigpond Cable. Unlike most cable connections, Telstra requires the use of a login application with its cable product. This mini-HOWTO will describe the various steps required to have SmoothWall work effectively with Bigpond Cable.
Before proceeding with the rest of this mini-HOWTO, you will need the following:
I will assume that you have read and correctly followed the instructions provided by the SmoothWall team, have a working SmoothWall installation, and are able to access the admin interface from another PC (again, this is outlined in the documentation).
To transfer files to the SmoothWall installation, the SSH server on the SmoothWall box must be enabled. To do so, surf to the admin interface and select the "Remote Access" option from the menu on the left-hand side.
The SmoothWall login screen – select "Remote Access" from the menu bar.
Once at the "Remote Access" screen, place a check in the ‘SSH’ checkbox and hit the save button. SSH access is now enabled.
The Remote Access screen.
As outlined in the ‘before you begin’ section, you will need a copy of SSH Secure Shell, to have it installed, and have a basic understanding of its workings.
The first ‘issue’ one is likely to encounter with SmoothWall and Bigpond Cable is related to SmoothWall not identifying the DHCP (Dynamic Host Configuration Protocol – the system used be Bigpond Cable to assign IP addresses) settings correctly. I initially suspected this problem pertained only to my connection, but it has since been confirmed by other Bigpond cable users.
SmoothWall uses the dhcpcd client for obtaining DHCP configuration information on boot. So, the first step is to boot (or restart) your SmoothWall box ensuring that the connection to your cable modem is plugged in. Now, login to your SmoothWall box via SSH, and do the following:
1. Go to the /etc/ directory:
cd /etc/2. Open the ‘resolv.conf’ file in joe:
joe resolv.conf
Ideally, your ‘resolv.conf’ file should contain something similar to this, although the exact contest will vary depending on your location:
nameserver 61.9.192.13
nameserver 61.9.192.16
nameserver 127.0.0.1
search nsw.bigpond.net.au
If it does, you are A-OK to proceed to ‘Installing a login client -- BPALogin’. However, it is much more likely that your ‘resolv.conf’ will contain the following:
nameserver 127.0.0.1
This means that dhcpcd was unable to obtain the required DHCP information from Telstra’ DHCP server, and any attempt to login to Telstra’s cable service will not work. At this point, exit Joe:
1. To exit Joe, press the following two keys:
Crtl-k2. When you see "ˆk" appear in the top left corner, press:
'q' and press enter or return.
The simplest way to fix this problem is to edit the ‘resolv.conf’ file so it contains the correct information, and the easiest way to get that information is to do the following:
1. SSH in to your SmoothWall box.
2. At the command prompt, type the following: "dhcpcd ethX" where ‘ethX’ is the name of the network card that your cable connection is connected to. If you do not receive an error message, please skip steps three (3) through five (5).
3. You may, however, receive the following error message:
**** dhcpcd: already running
**** dhcpcd: if not then delete /var/run/dhcpcd-ethX.pid fileWhere "ethX" is the relevant network card.
4. Essentially, as the error message states, dhcpcd is already running, and thus must be disabled. To do so, type the following at the command prompt:
kill $(cat /var/run/dhcpcd-ethX.pid)Again noting that "ethX" is the relevant network card.
5. Now reissue the original command: "dhcpcd ethX". This time you should receive no error message.
EthX? What the…?:
If you are unsure what ‘ethX’ is on your system, type "ifconfig" at the command line. Assuming you have two network cards, you will see "eth0","eth1" and "lo". Ignore "lo". Look specifically at the information following the ‘inet addr’ field.
One network card will show the IP address for the ‘green adapter’ address you entered during the SmoothWall installation – in my case that was ‘192.168.0.1’ – it is the other card, the ‘red adapter’ we are after. Note the name of this card: replace ‘ethX’ with the name of that card.
Now refresh the directory (ls -l) and you should notice a new
file: ‘resolv.conf<anything>’, where <anything> could be ".sw"
or "~" or a number of possibilities. This is a backup file that will
contain the old 'resolv.conf' information, that is, "nameserver 127.0.0.1".
Open the ‘resolv.conf’ file in Joe:
1. Go to the /etc/ directory:
cd /etc/2. Open the ‘resolv.conf’ file in Joe:
joe resolv.conf
You should now see something similar to this:
nameserver 61.9.192.13
nameserver 61.9.192.16
nameserver 24.192.1.30
search nsw.bigpond.net.au
The exact contents may vary somewhat, but it should be similar. If you still only see "nameserver 127.0.0.1", you have a problem of some sort – check that all your cables are connected properly, that your cable modem is on, and that you typed the dhcpcd command correctly.
You will need to make one change to the resolv.conf file:
1. Use the directional keys to navigate to the third 'nameserver' line, for example:
nameserver 24.192.1.302. Replace it with:
nameserver 127.0.0.13. To save the changes, and exit Joe, press:
Ctrl-k4. When you see "ˆk" appear in the top left corner, press:
'x' and press enter or return.
Now, bearing in mind that when the SmoothWall box is reset it will revert back to the ‘resolv.conf<anything>’ file (mentioned earlier), we want to make the contents of ‘resolv.conf<anything>’ match that of the new ‘resolv.conf’ file. The easiest way to do this is to execute the following commands from the command line:
1. Go to the /etc/ directory:
cd/etc/2. Copy the ‘resolv.conf’ file to the ‘resolv.conf.sw’ file:
cp resolv.conf resolv.conf<anything>Where resolv.conf<anything> is the name of the file to be overwritten.
3. When prompted to overwrite, type:
‘y’ and press enter or return.
Since writing the original SmoothWall and Bigpond Cable guide, it came to my attention that there was a specific issue with DNS resolution and Bigpond Cable that meant it took much longer than it should to log in via SSH.
The following is a workaround for the problem thanks to Lawrence Manning (SmoothWall co-author), and involves editing the /etc/hosts file, adding any and all clients that you would like to have access to SmoothWall (without the long hanging periods). Note that this workaround only applies to people using static IP addresses, not an internal DHCP server.
1. Go to /etc/ directory:
cd /etc/2. Open the 'hosts' file with Joe:
joe hosts3. You should see the following:
127.0.0.1 localhost
192.168.0.1 smoothwall4. For every client machine that you want to be free of the long hanging period, you will need to add the machine's IP address and hostname to the 'hosts' file using the syntax:
<IP address> <hostname>5. For example, I have one client on my network called "Power2burn" which has an IP address of 192.168.0.2, so my 'hosts' file looks like this:
127.0.0.1 localhost
192.168.0.1 smoothwall
192.168.0.2 Power2burnRepeat for all client machines you wish to add.
6. When done, save and exit Joe Press:
Ctrl-k7. When you see "ˆk" appear in the top left corner, press:
'x' and press enter or return.
Ok, that’s half the battle won. At this point it is necessary to restart your SmoothWall machine: your cable modem must be plugged into your SmoothWall machine during (and after) the restart, as the rest of this guide assumes it is. For those that don’t know the correct restart command, type the following:
shutdown –r now
This will immediately start the shutdown process, with the ‘-r’ flag indicating to the machine to reboot. Once the reboot is complete, login to your SmoothWall machine via SSH.
The next ‘issue’ is not an issue with SmoothWall at all, rather it is a problem with the way that Telstra has setup its Bigpond Cable network. Unlike most cable networks (and like the RoadRunner cable service in the US), Telstra Bigpond Cable requires you to run a login application before you can access anything, and thoughtfully Telstra didn’t provide a *nix login client.
Thankfully, Bigpond users came to the rescue and programmed a number of unofficial login clients – this is where the modified BPALogin script you downloaded earlier will come in handy.
Before going much further, I would like to point out that this version of BPALogin has been specially modified by Mathew Frank to work with SmoothWall. The unmodified version can be found here.
This is where the other part of the SSH Secure Shell package will come in handy -- Secure File Transfer Client. Open it, and configure it to connect to your SmoothWall machine. For example, my configuration looks like this:
Secure File Transfer Client - Replace 192.168.0.1 with the IP of your SmoothWall
machine.
Once logged in, switch to the root directory (/), and upload the smbpalogin.tar.gz compressed file you downloaded earlier by selecting 'Upload' from the 'Operations' menu (making sure you have selected the / directory), finding and selecting the file you wish to upload (smbpalogin.tar.gz), and by clicking on the upload button.
Secure File Transfer Client - Selecting the file to upload.
With the file successfully uploaded, exit Secure File Transfer Client, switch back to the SSH client and do the following:
1. Go to the root (/) directory:
cd /2. Uncompress the gzip file:
gzip -d smbpalogin.tar.gz3. Uncompress the resulting tar file:
tar -xvf smbpalogin.tar
The tar files will decompress and automatically place the file in the correct directories, with the appropriate permissions -- totally painless. If you are interested, the following is what is decompressed, and where:
|
bpalogin |
--> /usr/sbin --> /etc --> /etc/rc.d/init.d --> /var/smoothwall/bpalogin --> /var/smoothwall/bpalogin/docs |
The next step is to configure the BPALogin script. At the command line, or via SSH, do the following:
1. Switch to the /etc/ directory:
cd /etc2. Open the 'bpalogin.conf' file in Joe:
joe bpalogin.conf3. Locate the following lines:
# The user name you have for your BPA account
username yourname
# Your BPA password
password yourpassReplace "yourname" and "yourpass" with your username and password respectively.
4. Save and exit Joe:
Ctrl-k5. When you see "ˆk" appear in the top left corner, press:
'x' and press enter or return.
That is all the configuration that should be necessary for BPALogin in almost all cases. There are, however, a number of other options you may like to investigate at a later date.
Now that all necessary installation and configuration has taken place, it is time to test BPALogin by executing the following at the command line, or via SSH:
1. Start BPALogin:
/etc/rc.d/init.d/bpalogin.init start2. If all is successful you should get a message saying:
Starting bpalogin:
Started sucessfully
Your SmoothWall machine (and any clients, if configured correctly) should now have net access! But rather than having to type commands, lets automate the process.
We are almost there; we just need to make one final change. Assuming you are still logged in to your SmoothWall machine via SSH, do the following:
1. Make sure you are in the /etc/rc.d directory:
cd /etc/rc.d2. Open the rc.sysinit file in Joe:
joe rc.sysinit3. Using the directional keys, scroll down to the lines that read:
echo "Starting sshd (if enabled)"
/usr/local/bin/restartssh
4. Add the following directly after the above lines:
echo "Starting bpalogin (if enabled)"
/etc/rc.d/init.d/bpalogin.init start5. Save and exit Joe:
Ctrl-k6. When you see "ˆk" appear in the top left corner, press:
'x' and press enter or return.
Done! Restart your SmoothWall machine, and during the start-up process watch for "Starting bpalogin (if enabled)". When the machine has finish rebooting, login as root, and try pinging a server (for example, telstra.com):
1. To ping telstra.com type the following at the command line:
ping –c 4 telstra.com2. You should get a readout similar to the following:
PING telstra.com (144.135.18.10) from 144.132.178.59 : 56(84) bytes of data.
64 bytes from 144.135.18.10: icmp_seq=0 ttl=251 time=9.4 ms
64 bytes from 144.135.18.10: icmp_seq=1 ttl=251 time=17.1 ms
64 bytes from 144.135.18.10: icmp_seq=2 ttl=251 time=14.8 ms
64 bytes from 144.135.18.10: icmp_seq=3 ttl=251 time=34.1 ms
--- telstra.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 9.4/18.8/34.1 ms
If you do not get a readout similar to the above, try pinging another server, say yahoo.com (just replace ‘telstra.com’ with ‘yahoo.com’ in the above command). If you still don’t get the appropriate output, you have done something incorrectly, so go back over the above instructions.
There comes a time when you want get your SmoothWall box to logout of Bigpond Cable. You have two options – either shutdown the machine, or type the following at the command line, or via ssh:
/etc/rc.d/init.d/bpalogin.init stop
This will gracefully log you out of Bigpond Cable.
The following is a list of people who helped me write this guide (in no particular order):
Stephen Johns
Alex Webster
Richard Morrell
Lawrence Manning
Lincoln Dale
‘Bill’, ‘Becky’ and ‘neuro’ from the SmoothWall IRC channel.
Numerous people on the ‘[users]’ mailing list.
SmoothWall:
SmoothWall is a trademark of Richard Morrell and Lawrence Manning and is
published under the GNU General Public License.
Telstra Bigpond Cable:
TELSTRA and BIG POND are trademarks of the Telstra Corporation Limited.