Make Your Own Router - secrets revealed

silver · #1 24-October-2003, 11:25

I've put another copy of this guide at Make Your Own Router - it will remain there also so please feel free to link to it

If you are reading this then at least you are curious which means the thread title worked

This thread sets out to explain:

a) what a router is and why you need one

b) why setting up your own router / firewall is better than buying something 'off the shelf'

c) how simple it is setup a very secure router / firewall for you i'net connection at minimum cost and effort (i.e. for free in 1 hour!)

d) the secrets - what the router manufacturers didn't want you to know

Why do I need a router?

A router or router-firewall (I will use the terms interchangably, where I say 'router' I mean 'router-firewall') in the simplest sense is just something that sits between your ISP connection (be that a dial-up modem an ADSL modem or a cable modem) and allows data (e.g. the web page you are viewing) to be routed between the internet and your internal 'home network'.

Your 'home network' might be just one PC but a router allows you to block all types inbound or network related attacks, e.g. any kind of internet worm that works by connecting to RPC or DCOM ports and many other types of attacks that try to connect to you from the internet. In simple terms a firewall-router protects your PC(s) from the bad people on the internet very effectivly, you don't need to know anything about how it works or how to setup the 'firewall' side of things to be protected, most routers come configured to work well with no real setup needed.

The other main advantage to using a router is that you can leave it on 24/7 and connect any number of PCs into your network at home to all share the internet connection with minimum fuss. A router should be very stable and many people leave them on 24/7 to give them a more or less permanent connection to the internet.

Some people suggest running a 'personal firewall', this is no bad thing but it suffers from some major drawbacks. The term 'personal firewall' I take to mean a firewall application that is running on your actual PC, that's the problem with it! Anything that runs on your PC is vunerible to a potential virus or malware that you might accidently download and run. Some malware explictly targets personal firewall apps and disables them, sometimes in ways which are not obvious to spot. A 'router-firewall' on the other hand is running on a dedicated box and so is far harder to bypass or disable. That's not to say they are useless, they are certainly better than nothing, there's free ones about so check them out if you decide not to have a router!

Why should I make my own?

because you can and it's fun!

An ADSL router can be purchased and they aren't much more now than an ADSL USB modem but many people already have USB modems and want to 'upgrade' to use a router-firewall, if you make your own you can use the existing USB modem and build the actual firewall-router part, saving money.

Many routers you can buy are just plain rubbish, you only need to search the intarweb (ian

) for people trying to use a purchased router with a peer2peer app (like emule / kazza etc) to see the amount of issues.

A cheap purchased router in a lot of cases tends to crash or 'reset' when you push your internet connection with lots of downloads or uploads. In my experiance I can have over 1000 simultaneous connections and the router I built doesn't even break a sweat, let alone become unstable.

Making your own router gives you the kind of flexibility that you can't get from a purchased router, it is upgradable with a simple download and new features are being added as time goes on. Once you have bought a router you are stuck with the functionality you got when you bought it, until you buy a newer one of course!

Support, a router you build based on the free open source software around is made by a bunch of people like you, there is an active community of people who will help you get setup and offer advice if you want your router to do something more as your needs and understanding grows.

Setting up the router-firewall

to make a router you will need the following,

a) 1 old PC (a p100 with 32 megs ram and a 500 meg or 1 gig HD is more than enough),, this will become the dedicated router-firewall.

b) some way to connect the router to the ISP, i.e. an ADSL USB modem for ADSL or a NIC (ethernet card) for cable modem or a dialup modem if you are using dialup. If the old PC doesn't have a USB port then you can get a PCI USB card for around 15 quid or less.

c) a NIC card to connect the router to your home lan (wireless will be an option soon!) a NIC card costs around 5 quid, you will also need a NIC card in each PC you need to connect.

d) a ethernet switch (or hub) if you have more than one PC you need to connect, a switch works just like a multi-way extention cable but it's designed to split an ethernet connection between your PCs so you can plug in many PCs (an 8 way switch for connecting 7 PCs is about 50 quid or less now, a 4 way switch for connecting 3 PCs is around 20 quid), if you have more than 7 PCs you want to connect then get another switch and connect it in or get a larger switch to start with.

Once you have the bits you are set

In my opinion the the easiest and best router-firewall can be made by downloading 'IPCop' from http://www.ipcop.org - it's a free, open source firewall.

Installation is simple, just burn a CD from the downloaded file (the complete OS is only 30 megs!) and boot from the CD to install. If your old / doner PC can't boot from CD then you will need to use floppy disks which can be created on another PC by using the IPCop CD you made. (there are other ways to install it without needing even a CD drive - but that is beyond the scope of this txt!)

IPCop is a complete operating system, which means there is no underlying windows OS required on the p100 / doner PC and no licenses to worry about. This is the truely neat part, a free OS that is pre-configured to install simply and provide you with a high quality dedicated firewall-router that is simple to setup and simple to use.

If you are installing IPCop for the first time then you will need to read the installation manual at http://www.ipcop.org/modules.php?op=...pDocumentation , think of it as reading the manual to your video recorder, it isn't that long and will allow you to understand IPCop and become more confident about the installation process. I think you can install it in about an hour after reading install guide, have a quick look at the FAQ as it should answer most questions you may have.

If you get stuck, ask!

Secrets of Purchased routers

ok - not that secret and mostly conjecture

many people are under the impression there is something called a 'hardware router-firewall' that is magically more secure and stable than a 'router-firewall' you can make yourself.. this is generally wrong on 2 counts,

a purchased ADSL router, if you opened it up, is really something like a 486 CPU with not much memory running some firewall software that's loaded off a diskless storage device, i.e. it's not a 'hardware router-firewall',. if such a thing even exists! They can crash and fail just like any other computer you ever used.

whether it can be more secure is not quite so easy to dispute, all things have flaws, firewalls are no exception,. generally speaking a firewall based on linux (as IPCop) is secure if setup correctly, IPCop is easy to setup and hard to setup wrongly (though as with a purchased router-firewall it can be setup to be insecure if you try!).

IPCop regularly puts out fixes for their code, the kind of fixes you will see are generally not fixes to the 'internet side' of the router, they are usually small issues that could only be exploited with great difficulty by a determined hacker who could plug their computer into the network at your house (of course there's other ways that can happen e.g. some kind of remote access trojan).

It is hard to know what kind of issues exist within a purchased router, if there are so called 'firmware upgrades' these may contain fixes for insecurities in the firewall - it is hard to tell because they may not want that kind of information made public?

..

I'll add more to this as I think of it,.. please post any views or questions you have

Sil

PS, there's no section at the moment called 'day to day' running, I have 2 IPCops on my home network (I have cable i'net and ADSL) and I am very pleased with how IPCop performs, the setup and any maintenance is via a web browser which you point at the router, any fixes or patches that need to be applied are also done through the web page, most fixes do not require a reboot.. once IPCop is installed it behaves like most any other router you can purchase that is pre-built

Odyssey · #2 25-October-2003, 13:40

Sil,

Great post!

Very well-written if understandable by someone at my level of curiosity and modicum of expertise, and I think I got it. This kind of tutorial is really invaluable for those of us who need a lot of hand holding to get through most software/hardware issues.

It motivates me to give it a try and I will do so, soon as I can get the overheating problem on my superflous PIII machine sorted. (Have located a new cpu fan and will see if this gets relief.)

The other thing is that the old P3 sounds like the Concorde taking off.

I know that one can minimize noise from any puter if one has the time and money, but is there not a simple fanless box with a modest cpu but no O/S that can be purchased for not a lot of dosh, and which can be used for IPCOP? As you mention, only a minimum of resources are needed!

silver · #3 25-October-2003, 14:16

Thanks!

I hope that I have explained stuff in a way that makes it more accessible to those who are curious but don't recognise all the technical lingo those 'in the know' tend to use!

A p3 will be fine, the idea is to save money if possible, if you can use an old PC you have that's good. I tend to buy old PCs if I don't have one spare, the last complete PC I bought recently was a p3 600 for 60 quid.

Once IPCop is setup it doesn't need a mouse, keyboard or monitor, you generally put it in a corner and connect to it occasionally from your webbrowser on your main PC

Most computer noise is generally fan noise, which can be caused by old fans starting to squeak a bit, see http://www.dansdata.com/fanmaint.htm for a tutorial on how to fix this (I normally use cooking oil!).

You may be able to make the p3 almost noiseless by under-clocking it and reducing the fan speed or replacing fans, 3 quid for a new fan perhaps. (prolly best to start a new thread with a seperate question if you aren't sure how to under-clock it)

I hope a few more people do try it, I know everyone who has one installed is impressed!

Sil

PS, I am in no way connected with the group of people who write IPCop except as a satisfied user, I just think it's a great free to use product that more people should try!

Dorset Wedding Photographer

billytee · #4 26-October-2003, 23:25

Hi sil, great advice which I really would like to try, however as a first question:-
What do I do with my software firewall? in this case zone alarm.
billytee

silver · #5 26-October-2003, 23:38

yep - it's a good question,. I don't personally use any software firewalls inside my local network,. but some people do like to run software firewalls like ZA as well as use a router...

think of your personal PC as a house, with ZA being the lock on the front door,. a router can be seen as something like a fence round your property, if the fence is good then not much is going to ever get to your front door,,. this is certainly true of inbound traffic (people outside on the internet trying to get in).

the handy thing about using ZA as well as having a router would be to stop outbound traffic, say if you somehow picked up a trojan that wanted to connect out from your PC,. the router lets most traffic straight out,. having ZA running as well would mean it would spot something 'new' trying to get out and alert you,.

matter of choice really

Sil

Pentyl · #6 29-October-2003, 14:04

Very informative, Sil!!
I've been planning something like this for some time now, saving an old p133 for the purpose. But:
Can you store your homepage and maybe even run scripts (I have static IP adress) on that OS platform? Do you need additional software, and would that be easily compatible with IpCop?
/Pentyl

silver · #7 29-October-2003, 14:33

well - any (most?) linux s/w will run on IPCop, so to serve pages you can use apache, in fact apache is already installed since that's what it's using to give you the GUI config pages..

but!,.. I would suggest that this is a bad idea, a router / firewall thing really should be dedicated to one task and provide a potential attacker the bare minimum of possible entry points!

the best and safest way to host things on your IP address is with yet another box (!) this box sits in a special zone or subnetwork called a DMZ (de-miltilarized zone),, so if in the event of someone gaining access to your webserver they can't get to the rest of your internal network - and more importantly perhaps they still haven't got access to your firewall so they can't make any changes.

IPCop lets you configure a DMZ, in effect it's like having 2 seperate networks at home behind the router, one is your normal network you use for all your general PCs, the other is a 'special' network (a.k.a the DMZ) that you put your internet visible servers into - like a webserver for instance

ok, some people will think this is a lot of hassle and it's true you can do things far more simply with less boxes but hosting servers properly and securely is worth thinking about, you could choose to do things more simply but it's worth understanding how it should be done (though of course there's plenty of different opinions on this subject!)

Sil

edit - fixed typos

Pentyl · #8 29-October-2003, 19:03

Thanks Silver!

I follow your argument and I'm afraid you confirmed what I feared.
The major problem isn't longer the technical issues, it's the lady of the house and her attitude towards boxes...

/Pentyl

silver · #9 29-October-2003, 19:21

Originally posted by Pentyl
Thanks Silver!

I follow your argument and I'm afraid you confirmed what I feared.
The major problem isn't longer the technical issues, it's the lady of the house and her attitude towards boxes...

/Pentyl

yes - after the first 5 you are home free as they loose count!

good luck!

Sil

coolcomp · #10 03-November-2003, 15:53

Some of the new routers out, are UPNP allow ports to open automatically for programs such as msn messenger etc. Does your router have this option?
thanks

Memfis · #11 03-November-2003, 21:19

best not, upnp has so many holes in it. try google. always best to open ports manually

Dave40 · #12 15-November-2003, 21:10

I'm intersted in building my own router/firewall and found your thread v. inetesting. One thing i am struggling to get my head round is the connectivity between a PC running under Linux and my Zyxel Prestige 630 USB Modem. I'm probably being thick and hence would appreciate more information.

silver · #13 04-December-2003, 22:05

Hi Dave40,

Sorry missed your post at first.

The 'router' (at least IPCop anyway) is the PC that the modem connects to, so instead of plugging the modem into one of your lan PCs plug it into IPCop. Then you connect your PCs to IPCop using normal cat5 and ethernet cable

Sil

PS, don't really consider IPCop as a linux PC, it's a PC running a dedicated firewall operating system. Just install IPCop on the box by booting from the IPCop CD and you are done!

DanTheMan · #14 22-December-2003, 15:26

Hi Silver,

I recently purchased a ADSL-Router Modem, which was recommended to me by a few people and I have definately run into my fairshare of problems setting it up with emule.

I wish i had come across your post previously to purchasing it, the modem I have is a Billion 741 GE Firewall / Router / 10 - 100 Switch www.741ge.com
People suggest that it is good enough for me and I shouldn't bother using an old box to build a IPcop router as u have suggested, I wouldn't mind if you could give me ur opinion with the comparison of my existing ADSL Router above.

Also I am kind of limited on some parts and space aswell, so I though if i do start the project perhaps use a 2nd hand xbox to run it as a router with ipCop, I mean with all the xploits now on the console, can it be done ?
I mean it would look flash and also save some space and $$$

Well I look forward to your feedback if u have the time.

Also i was looking for a detailed Step-by-Step site for dummies on building a Firewall Router, know of any sites?

__________________________

Kind Regards, Dan

silver · #15 23-December-2003, 02:11

Hi Dan,

The router you have might well be fine

w/o having one to compare (unless there's detailed info on the web somewhere already!) it's hard to know how it stacks up against IPcop. Common problems with 'purchased routers' are they slow right down or reset when you push a lot of concurrent connections (like using a p2p app).

xbox hacking I know v little about, you could try the ipcop dev list as they might know, it has been mentioned a few times but I don't know how far along they got. My IPCop boxes are a pII300 and pII450 can pick up something similar here for around 50 UK pounds secondhand .

building your own router, just install IPcop - unless you really need something that's custom, ipcop deals with most types of setup, no sites to hand at the mo.

glad you found the post interesting, am on hols at the moment (just borrowed a connection to pop-in briefly) so don't have much time to look into it!

Sil

PS, welcome to TS!

Scoobs · #16 11-January-2004, 13:52

ive got nowt todo so am downloading ipcop to have a go got a few spare baseunits and will stick it in loft out of the way.

d) a ethernet switch if you have more than one PC you need to connect, a switch works just like a multi-way extention cable but it's designed to split an ethernet connection between your PCs so you can plug in many PCs (an 8 way switch for connecting 7 PCs is about 50 quid or less now, a 4 way switch for connecting 3 PCs is around 20 quid), if you have more than 7 PCs you want to connect then get another switch and connect it in or get a larger switch to start with.

sil does it have to be a switch or will a 8 port hub do the same job

silver · #17 11-January-2004, 14:14

ahh - good question

have corrected the first post to include hubs, they are pretty much interchangable really - related <thread>:Hub or Router??

let us know how you get on!

Sil

Scoobs · #18 11-January-2004, 22:42

well all set up on a p2 333 was nice and easy once i got that usb file from you sil

for your help

p.s

been round mates and set him one up as well on a p133.

silver · #19 11-January-2004, 22:50

nice, let us know what you think once you get used to it

Sil

btw, file mgmt.o is needed for speedtouch modem and is DL from the alcatel site under linux drivers - instructions are in the ipcop documentation

Scoobs · #20 11-January-2004, 23:49

instructions who, where, what,

i just did it under your guidence..LOL

should this part show abit more info

10:47pm up 4:27, 0 users, load average: 0.01, 0.01, 0.00

silver · #21 12-January-2004, 11:10

10:47pm up 4:27, 0 users, load average: 0.01, 0.01, 0.00

it looks right to be, the '0' users refers to ppl logged into the ipcop box via ssh (or on the console) load average is saying how busy the box is - an it's not busy, which is correct ?

Sil

Scoobs · #22 14-January-2004, 23:18

all seems to be working well.

just uploaded fix 7 .

surprising how many scans you get in the logs never really noticed them with xps own firewall

(spp_portscan2) Portscan detected from 62.25.99.21: 1 targets 21 ports in 2 seconds

quite a few of those today

so if i wanted to put a webserver on would i just set up an orange network for it