Aim
I wanted a router/firewall system for capturing internet usage by IP address. There are some Linux/BSD distributions that do this plus a LOT more which are interesting to have. Enter:
Smoothwall
The catch was most of these distro's are run on a separate, standalone box. I already have a box that runs full time for file sharing among other things and I really didn't want to add the power consumption of another box to that.
So Running it in a virtual machine is the answer.
(I also checked out pfSense. Unfortunately I couldn't find an easy way to get IP usage monitoring on this distro, whereas Smoothwall 3.0 does it out of the box. I like pfSense a little better in all other ways though, it seems abit more user friendly and really easy to configure)
Specifics:
Machine: Host OS is Vista 64bit Home Premium. The actual box actually has 2 ethernet ports, however I only used one of them in this setup (running both Red and Green interfaces on Smoothwall!) as there is only one network connection in its physical location and the box cannot be moved.
Sun VirtualBox (64bit version for my OS) used to create the Smoothwall VM
Smoothwall Express 3.0 (64-bit) ISO
Network: Most of these Smoothwall based router/firewall setups have an external and internal IP interface. (Smoothwall calls the external the 'Red' interface, internal 'Green'). With my network setup though, I didnt want the Red interface to actually have the internet IP because my box is physically located a fair distance from my ADSL line. So in my setup, the ADSL router is still the internet facing device and traffic needs to be routed through Smoothwall.
Setup:
First things first of course. Install VirutalBox. This is simple, so I won't go into detail.
Before I install Smoothwall into a VM, its important to get my head around the network setup. Everything is actually going to be on the same IP range, which is abit weird for a Smoothwall install. Basically here is how I setup my network to get it working the way I want with my ADSL router:
- Disable all DHCP. Smoothwall will take care of this, and as a result all internet traffic will route through Smoothwall as it will assign itself as the gateway and DNS server, so internet traffic will come to the Red interface and then traffic will be forwarded to the ADSL router.
- I also enabled a DHCP forwarding function on my ADSL router. I don't think this is necessary as all the internal network is in the same IP range and Smoothwall will broadcast that its the DHCP server, but I ticked this setting anyway.
- Enabled DMZ on the router to be the Red IP address of Smoothwall. This will forward all incoming internet traffic to Smoothwall, so Smoothwall will still be acting as a firewall. (and saves me from forwarding ports on 1000 devices).
- The IP range of my network is 192.168.0.1/24 Basically my network setup so that device self assigned IP's are between 200-254, statically assigned (via DHCP) IP's are between 100-200, and all other DHCP is between 2-99. 192.168.0.1 is my router.
Smoothwall Installation.To install Smoothwall in VirtualBox, these were the steps I took.
- Create new VM by clicking 'New'
- Create a name (Smoothwall for ex.), set the OS to Linux, version to Other Linux
- Set the RAM size for the install, mine was 128MB
- Create new hard disk (select Dynamically expanding storage, check location to be somewhere you want it, and set the Size to 2.00GB)
- Finish the wizard
- Click Settings for the new VM
- Go to Network, set the following setting for both the Adapter 1 and Adapter 2 tabs (these will be the Red and Green interfaces on Soothwall:
- Tick Enable Network Adapter
- For Adapter Type, select 'Intel PRO/1000 MT Desktop'
- Set Attached to 'Bridged adapter' *Note the cog to the right, it will give you the MAC Address of the interface, which can be useful to write down and refer to while installing Smoothwall.
- Select your current computers network connect from the Name dropdown box
- Click OK to finish
- Click Start to boot up the virtual machine
- It will ask to you mount a CD image as nothing is installed on the machine yet. Point the wizard to you Smoothwall.iso image file on the computer.
- Smoothwall CD should boot on the screen, press enter to begin setup.
- Run through the Smoothwall setup. It asks you all the questions it needs to know. A couple of points on what needs to be setup is below.
- Once setup is complete, the VM will restart. You can remove the CD: Right-click the CD icon on the bottom of the VM window and select to unmount the image.
Points for the Smoothwall installation setup:
- My Red IP address was manually set to 192.168.0.210, so DHCP is disabled on this adapter (ie. it does not get an IP from DHCP). When manually set you also need to set Gateway and DNS server. In my case both of these are the ADSL router that Smoothwall will be forwarding to, 192.168.0.1
- My Green IP address was 192.168.0.204
- Also make sure you enable DHCP while going through the setup (use space bar to put a * in the DHCP field)
- Make sure you remember your root and admin passwords you set. You need these to configure Smoothwall via a browser and to login to Smoothwall
Once Smoothwall has rebooted from the installation, it should be running. DHCP should work and you will be able to get an IP address on the host assigned by Smoothwall. (run ipconfig /release and ipconfig /renew on Windows to do this)
We can now configure all the settings we need via Smoothwalls HTTP configuration. Bring up a web browser and type: //
:81 this should ask for you login and then you can start playing with the setup.
Info about the internet IP usage is under the About section. Traffic Graphs is a good place to start.
Problems:
There are a few things to keep in mind with this setup. Obviously anyone on the network can change their DNS and Gateway manually to be 192.168.0.1 which would then bypass Smoothwall. This isn't a problem for me, its just a home setup for getting info about who uses what.
Windows in its inherent nature needs to be restarted from time to time. Obviously this is a disadvantage of running Smoothwall in a VM since it will also need to stop for that time and won't provide access for other people on the network.
There is also security issues with running a firewall in a VM. Obviously if someone gets control over the host OS all the security in Smoothwall will be useless. Again this isn't a huge concern for me because its a home network. More details about the security can be found on the net... I'm not an expert.
What else could be done?
It would be nice for there to also be a way that the VM starts and stops istelf when I restart the computer. Or at least runs in the background. If I get this operational I will put another post up, but I have tried at length to run the VM in a service which is, frankly, down right annoyingly painful on Vista. I've been through a number of HowTo's about running VirtualBox VM's as a service, which normally will work ok on XP. Vista has huge issues with permissions from what I could see.
Links:
Smoothwall:
http://www.smoothwall.org/
http://community.smoothwall.org/forum/viewtopic.php?t=2873 - Smoothwall Addin's
VirtualBox:
http://www.virtualbox.org/
pfSense:
http://www.pfsense.org/
