Linux Router Project (LRP):

This project is based on Linux 2.2 kernel. Newer network cards typically do not supply Linux 2.2 kernel drivers, this project is on a "legacy track".

This tutorial demonstrates the detailed steps on how to build a low-cost, extremely reliable, high-performance, industrial-strength, firewall and network address translator for protecting and/or sharing PCs behind a cable modem or DSL modem in residential, commercial or industrial settings.

This LRP firewall can handle multiple-client pass-through of Microsoft PPTP-VPN and it has secure and encrypted remote administration capability when used in the optional hard-disk or Compact Flash or IDE-ZIP disk mode.

How to transform an old  486 PC to a professional print server, see this page.
 

A miror of this LRP Site is hosted in Bucharest, Romania
The URL of the mirror is http://lrp.end.ro/

A mirror of this LRP Site is hosted in Curitiba, Brazil (in Brazilian Portuguese)
The URL of the mirror is http://www.pracz.com.br/LRP/

Scope and purpose of this tutorial:
This tutorial is primarily intended for broadband DSL modem or cable modem.
Services that require dial-up or PPPoE [e.g. Deutch Telekom, Ameritech] is not supported here.
Other uses of this project include projects for high school, Internet-wired and Internet-enabled hotel guest rooms, schools,  libraries, small business offices and home offices (SOHO), telecommuting high-tech workers with ADSL or cable modem at home but need a Microsoft VPN connection to the corporate head office, community centers,  Internet café, forward-thinking conference centers and community centers, forward-thinking tourist information centers, gas stations, computer labs and classrooms, high tech coffee shops and restaurants (Starbucks, McDonalds, Las Vegas airport, City of New York's public parks, etc. provide wireless access functionally similar to this system) or shopping mall hot spots, forward-thinking airport waiting lounges, senior centers, ferries, bus stations or train stations. You can also use the LRP project as a personal firewall in your office to block hackers. Building owners or tenants can use one IP address to be shared by a large group of casual computer users, even in different buildings. Hopefully, some day in the future, broadband Internet access will become ubiquitous like electricity or Pastry shoes.

Previous experience with Linux or Unix is not needed.

The software used to build this firewall is free, under various Open Source licenses, it only costs you time to assemble them together.
The hardware used to build this firewall is a surplus PC (a 486-66 MHz or low end Pentium PC) plus 2 inexpensive Ethernet network cards.
Commercial firewalls (price ranging from $40 US to several hundred thousand dollars with more advanced features and capabilities) are available for purchase and is becoming very popular.
Click here for samples of commercial firewalls.
Many people build LRP for the learning experience and the satisfaction of "do-it-yourself".
If you have lots of money, or work for large corporations or governments, buy Cisco PIX firewalls instead. Don't save money by building something useful.

If you collect all the necessary information and hardware, you can do this project in one or two evenings. A cookbook-recipe approach is chosen so that you can build a robust Linux firewall / share-box by following the step-by-step procedures; you don't need to know the cryptic Unix or Linux commands, although in the process of building the box, you may learn a few commands.

Disclaimer

Hardware:

A surplus 486-66MHz PC or a low-end Pentium PC.
(motherboard with 2 empty PCI slots is preferred, but not necessary)
16 meg RAM. Click here to find how much RAM you have.

For extremely demanding applications, try a 500 MHz Celeron/Pentium with two Intel PRO/1000 MT Gigabit Ethernet cards.

Two (2) Ethernet network adapter cards: note
PCI cards are much easier to setup and less trouble-prone than ISA cards.

Click here to see a full list of Ethernet network cards supported by this project.

Caveat: Do not combine an ISA NE2000 and a PCI NE2000 on the same motherboard. The software drivers get very confused.

Samples of network cards supported by this project:
PCI - Novell NE2000 or clones (use ne2k-pci driver)
PCI - Realtek 8029 chipset (Novell NE2000 clones) (use ne2k-pci driver)
PCI - 3COM 3c590, 3COM 3c900,  3COM 3c905 (use 3c59x driver)
PCI - Realtek 8139 chipset, except the newer 8139D, many 10/100 economy cards use this chipset.
PCI - D-Link DFE530-TX+, D-Link DFE-538TX (use rtl8139 driver)
PCI - D-Link DFE530-TX (use via-rhine driver)
PCI - DEC/Intel 21x4x chip; 21x4x-compatible Ethernet cards (use tulip driver)
PCI - US Robotics USR7900 (use tulip driver)
PCI - Sohoware SFA110 (use tulip driver)
PCI - Netgear FA311 or FA312 (use natsemi driver)
PCI - CNET Pro200 with Davicom DM9102 chipset
PCI - Intel Pro/100 cards (Intel EtherExpress Pro/100)
PCI - Intel Pro/1000 MT cards (1000 Mpbs, or Gigabit, Ethernet cards)

ISA - 3COM 3c503, 3c507, 3c509, 3c515
ISA - SMC 8416 (SMC EtherEZ)
ISA - SMC 8013 (WD 8013) (Western Digital 8013) (SMC-Elite 16) (SMC690)
ISA - Intel EtherExpress 16 (i82586 chipset)
ISA - Intel EtherExpress Pro/10 (i82595TX), Pro/10+ (i82595FX)
ISA - D-Link DE-220  (Novell 2000 clone) (use ne driver)
ISA - Allied Telesyn AT2000 (Novell 2000 clone) (use ne driver)
ISA - Novell NE2000 or clones; Realtek 8019 chip-based (use ne driver)
ISA - SMC 1660T, Acer ALN-101. (Novell NE2000 clones) (use ne driver)

Confused, or in a rush to get started, here are some suggestions.
If you don't have any old network cards, ask some geeky friends who might. Sometimes you find reasonably priced legacy cards on eBay auctions.

If you must buy new PCI network cards for the project, consider these moderately priced cards: Realtek 8139 chipset (use rtl8139 driver), D-Link DFE530-TX (use via-rhine driver), Novell 2000 compatible Realtek 8029-based PCI card (use ne2k-pci driver), Netgear FA311 or FA312 (use natsemi driver), US Robotics USR7900 (use tulip driver), Sohoware SFA110 (use tulip driver).

If you must buy new PCI network cards and you have lots of money, consider these top-tier Ethernet cards: 3COM 3c905 (use 3c59x driver), Intel Pro/100 series (use eepro100 driver), Intel PRO/1000 MT (use e1000 driver), or generic cards based on the DEC/Intel 21*4* chipset (use tulip driver). Caveat: These fast 10/100 Mbps full-duplex cards may be too fast to talk to some models of cable modems with only a half-duplex 10 Mbps Ethernet design. Terayon cable modem is one of those older designs .

Preparation:
Identify the MAC addresses AND set up two network cards
Why is the MAC address so important ? It is because you need to correctly identify which card is connected to the outside world (eth0) and which card is connected to the internal network (eth1), see this diagram. With some DSL or cable modem companies, you need to know the MAC address of the card (eth0) which is connected to their DSL/cable modem.

Identify
the
MAC addresses
and
set up
your
network
cards

Identify the MAC address:
See this page on how to identify MAC address of the network cards.

PCI network cards: There is no need to setup PCI cards.

ISA network cards setup:
(typically it is time consuming setting up ISA cards due to IO or IRQ conflicts )

3c503:
use the on-card jumpers, card A IO=300, mem=C800; IRQ=3 (use diskette)
use the on-card jumpers, card B IO=310, mem=CC00; IRQ=5 (use diskette)

3c509:
Use this detective disk to set the cards IO, IRQ and disable its PnP.
card A set IO=300, IRQ=10; if you have the PnP version, set it to non-PnP
card B set IO=320, IRQ=11 or 5; if you have the PnP version, set it to non-PnP

3c515:
3c515 is a 10/100 Mbps PnP-ISA card. You cannot disable the PnP on a 3c515. Fortunately the 3c515 software driver is also smart to know that. No setup is needed for 3c515.

NE2000-ISA clones, Realtek 8019 chip: (Novell 2000 clone)
Use this detective disk or manufacturers "setup disk" to set up the cards:
card A set IO=300, IRQ=10 or 12; set to non-PnP (jumper-less) mode
card B set IO=320, IRQ=11 or 5; set to non-PnP (jumper-less) mode

D-Link DE-220, Allied Telesyn AT2000, Kingston KNE2000
(Novell 2000 clones)
Use this de220 to setup the cards:
card A set IO=300, IRQ=10, choose some memory block and disable PnP.
card B set IO=320, IRQ=11 or 5, choose some memory block and disable PnP.

Intel EtherExpress 16
Use this softset2 to set up the cards:
card A set IO=300, IRQ=10, choose some memory block and disable PnP.
card B set IO=320, IRQ=11 or 5, choose some memory block and disable PnP.

Intel EtherExpress Pro/10 and Pro/10+ (i82595TX and i82595FX)
Use this softset2 to set up the cards:
card A set IO=300, IRQ=10, disable PnP.
card B set IO=320, IRQ=11, disable PnP.

SMC 8416 EtherEZ
Use this ezstart to setup the cards:
card A set IO=300, IRQ=10, choose some memory block and disable PnP.
card B set IO=320, IRQ=11 or 5, choose some memory block and disable PnP.

SMC 8003/8013 EtherCard Plus family cards, use on-card jumpers to set:
card A IO=280, IRQ=3
card B IO=300, IRQ=5

Notes:
1. On some motherboards, IRQ10 or 11 causes conflict, check with this table.
2. Optional, Advanced: if you choose IO addresses other than 300 and 320, see this page for more information

(1) Install winzip and winimage on your PC.
( Win 95/98/NT Windows ME/2000/XP)

(2) Download and save this base image.

(3a) Download and save the appropriate network card driver package
[the network card driver package is called modules.lrp]:
First, click here to see a list of Ethernet cards and the name of the driver.
If you use 3C503 [IO 300 mem C800 IRQ 3; IO 310 mem C800 IRQ 5],
download and save this file.
If you use 3C507 (ISA), download and save this file.
If you use 3C509 (ISA), download and save this file.
If you use 3C515 (ISA), download and save this file.
If you use 3C590 or 3C900 or 3C905 (PCI), download and save this file.
If you use AMD PCNet32, download and save this file.
If you use CNET Pro200 Davicom DM9100 chipset, downlaod and save this file
If you use NE2000 (ISA) clones, download and save this file.
If you use NE2000 (PCI) clones, download and save this file.
If you use Realtek 8029 based PCI cards, download and save this file.
If you use Realtek 8019 based ISA cards, download and save this file.
If you use Intel ISA EtherExpress 16, download and save this file.
If you use Intel Pro/10 or Pro/10+ ISA, download and save this file.
If you use Intel Pro/10 PCI, download and save this file.
If you use Intel Pro/100, Pro/10+ PCI, download and save this file OR this file
If you use Intel PRO/1000 (Gigabit, or "gige"), download and save this file.
If you use Realtek 8139 based cards (except 8139D ), download and save this file.
If you use D-Link DFE-530TX (via-rhine chipset), download and save this file.
If you use Linksys LNE100TX, download and save this file
If you use cards with Tulip chipset, download and save this file.
If you use cards with Broadcom 4401 chipset, download and save this file.
If you use US Robotics USR7900 cards, download and save this file.
If you use Sohoware SFA110 cards, download and save this file.
If you use cards with old Tulip chipset, download and save this file.
If you use SMC EtherPower SMC 8432, download and save this file.
If you use D-Link DFE-550TX (Sundance chipset), download and save this file.
If you use SMC EtherEZ SMC 8416, download and save this file.
If you use SMC EtherPower II (SMC 9432), download and save this file.
If you use Asound Myson 800 (mtd803, mtd891), download and save this.
If you use Netgear FA311 or FA312 (DP83815 chip), download this file.
If you use Netgear's older FA311 (Realtek 8139 chip), download and save this file.
If you use Western Digital 8003/8013 (SMC 8013), download and save this file.
If you use cards with National Semiconductor DP83820 chipset, download and save this file.
If you use Realtek RTL8169 chipset (gige), download and save this file.
If you use NE2100 card, download and save this file.
If you use 2 different types of cards, download and save this file and click here
If you are not sure what card you have, try this file, and then come back to check this page after you have done step (6) below.

(3b)
If you are connected to your ADSL or cable modem service provider use dynamic IP address, download and save these 2 configuration files: etc.lrp and syslinux.cfg (right click on syslinux.cfg and choose Save);
If you are connected to your ADSL or cable modem service provider use static IP address, download and save these 2 configuration files: etc.lrp and syslinux.cfg  (right click on syslinux.cfg and choose Save).

(3c) Invoke winimage, drag and drop the base image (from step 2) in it. You should see something like this. Drag and drop the appropriate modules.lrp, (step 3a) etc.lrp (step 3b) and syslinux.cfg (step 3b) into the winimage window. Winimage should now contain 12 files and it should look something like this. Save your newly assembled image [at the winimage window, click File... Save].

(4) Insert a new, high-quality, blank floppy disk in drive A, click Disk...Write to create a LRP boot-floppy.
Don't use bulk or old floppy diskette. If your floppy drive is old and worn out, consider buying a new one, LRP uses a 1680K formatted diskette, it is quite demanding. If you see a lot of error messages during boot time, it is most likely due to a bad floppy diskette or a worn out floppy drive.

(5a)
Shaw cable modem users (with Terayon modems) - jump to step (6).
Rogers cable modem users (with Terayon modems) - jump to step (6).
Delta Cable modem users - jump to step (6).
Québec Vidéotron cable modem users - jump to step (6).
NTL (UK) Internet cable modem users - jump to step (6).
Comcast cable modem users: jump to step (6).
Insightbb cable modem users: jump to step (6).
Time Warner Road Runner cable modem users: jump to step (6).
Swedish Comhem cable modem users: jump to setp (6)

(5b)
(some) Cox cable modem, OptusNet:
find out your identification code in preparation for step (10) below.

(5c)
Telus, Cox, Telewest, Charter Comm, Maryland.
Find out the MAC addresses of your Ethernet cards, in preparation for step (10) below.

(5d)
Users with static IP address, proceed to step (6).

(6) Before unplugging your existing Windows computer that is connected to the cable modem or ADSL modem, it is advisable to release the IP address first. Click here on how to release the IP address. Power up the firewall with the LRP boot-floppy in drive A. The first-time and second-time boot up may take 5 minutes (apparently stuck on syslogd) due to the lack of proper IP address.

login in as root then type q to drop to the # prompt.
Type ifconfig eth0 and ifconfig eth1 to identify the MAC addresses.
This checklist may be helpful for doing MAC-address detective work.
Optional advanced: if you use 2 different types of network cards, see this page.

(7) It may be advisable to power-down/power-up your cable/DSL modem to purge its memory of existing Ethernet card's MAC address. Sometimes you may have to release the IP address to your ISP before powering up the LRP. Power off your LRP firewall.

(8) Connect eth0 to the cable modem/DSL, connect eth1 your internal network hub (see this diagram). Power up the cable modem/DSL modem until it becomes stable then power up the LRP firewall.

(9) The majority of residential ADSL and cable-modems use "dynamic IP", in that case, proceed to step (10). If for whatever reasons, you have "static IP address", jump to this page.

(10) If you use dynamic IP, you may have to jump through some bizarre hoops to keep your DSL or cable modem company happy. Here is how to jump hoops.
If you use static IP, proceed to step (11).

(11) Configure DHCP (on the LRP) for your location:
(a) collect the proper information, then (b) edit a configuration file on LRP.

(12) Reboot the LRP firewall.
Re-set your original PC for use behind the new LRP firewall.
If you have "software firewall" installed on that PC, it should allow DHCP traffic so that the PC can obtain an IP address from the LRP box, unless you choose to use "static IP" address on that PC.

(13) To configure other PCs in your internal network, see this page.
If you have "software firewall" installed on those PC, it should allow DHCP traffic so that the PC can obtain an IP address from the LRP box, unless you choose to use "static IP" address on that PC.

(14) Surf happily ever after.

Acknowledgements.

If you have trouble getting LRP to work, see this trouble-shooting guide.
If you use "dynamic IP", after each time your ISP changed your IP address, you need to restart seawall, see this page.

(15) You may want to disable the power-save feature of the BIOS so that the CPU does not go into low-power mode (which degrades the performance of the LRP) when there is no traffic going through the firewall. Thanks to Paul Sorichetti of Ottawa, Ontario, Canada for discovering this point.

(16) Optional, Advanced: If you have static IP address or quasi-static IP address AND your "ADSL or Cable Modem User Policy" allows you to run a web server, e-mail server, NetMeeting or pcAnywhere server from your inside network, see this page on "port forwarding".

(17) Optional, Advanced: If you want to build a LRP firewall that boots from IDE hard disk or Compact Flash or IDE-ZIP drive, see this page.

(18) Optional Advanced: If you want to telnet to your LRP firewall, see this page.

(19) Optional Advanced: If you want your LRP to use local time zone or use SNTP to synchronize to time servers, see this page.

(20) Optional: You may want to remove the hard disk to reduce power consumption and reduce noise.

Disclaimer

References:
(NAT) Network Address Translator: RFC 2663 and RFC 1631
Address Allocation for Private Internets: RFC 1918
The MD5 Message Digest Algorithm RFC 1321
Issues and thoughts about the lack of end-to-end datagram transparency due to NAT: RFC 2775
Home Network Security by CERT.
ip_masq has vulnerability, how to reduce vulnerability of ip_masq weakness.

Technical synopsis:
The project is based on the LRP 2.9.8 using kernel source 2.2.19-1-LRP.linux.tar.gz from
http://www.tux.org/pub/distributions/tinylinux/linux-router/dists/2.9.8/  ,added John Hardin's ip_masq_pptp kernel patch for Microsoft PPTP pass-through, and CoRiTel Sofia Project (Rome, Italy) ip_masq_h323 kernel patch for Netmeeting pass-through. Compilation is done using a Linux. The LRP kernel can be compiled on a current Debian Linux, but the LRP binaries (executables) are compiled on a Debian (slink).

MSN Messenger This LRP firewall does not have a kernel patch to allow Microsoft MSN Messenger clients behind the NAT firewall to make voice calls or send files (outbound).
This is due to protocol problems in MSN Messenger.
http://support.microsoft.com/support/kb/articles/q278/8/87.asp

Others:
House-keeping items