William's Adventures With m0n0wall Software

My Adventures With m0n0wall Software

As anyone who knows me will tell you, I have no shortage of computer equipment. It comes from all kinds of places...curbside discount, people who have upgraded, mysterious "gifts" that end up on my porch or lawn, or in ways that are unique but have no doubt been forgotten about.

Some end up being cleaned up, repaired and donated to those who need them more badly than I do. Some become loaners (these are for people to use when I'm working on their main computer). Others get recycled or parted out. Ones that don't work and cannot be repaired or that are made of dried and pressed garbage formed into the shape of a computer may get run over after any remotely good parts are harvested. Still others sit and wait their turn for a suitable project to cross my mind.

Then there are some that don't really fit into the above categories...the ones that still work fine yet are so utterly outmoded that you can't think of anything else to do with them. These are the computers that qualify as "vintage" yet have little to no value or uniqueness. And after you realize that you only need so many older systems to run any old programs or games, there just isn't anything left for them to do.

I hate to throw anything that might be useful away. The mountains of "stuff' around here will attest to that. There are two reasons for this, one you just read and the other, which dictates that any time I do throw something out, I will immediately come up with the perfect thing to use it for after it's gone. My life is a comedy, and I've mostly come to accept this sort of thing as inevitable.

This page tells the story of one of "those" computers. Allow me to present to you... (cue drum roll FX, please)

monowall box 1

...this. Here we have a generic looking PC that a friend gave to me, along with another PC with a slightly newer motherboard and monstrously big case. Some assorted "parts" also came my way. Most of the parts have come in handy for some purpose or another, and the other computer is presently being subjected to invented swear words while I work at beating it into submission as a FreeNAS system. Provided I don't throw it right out the window in the near future, that other system will be used to store copies of the data on my first FreeNAS system. Rsync will make these copies and the system will be located offsite. More on that later, on a separate page (of course). Although, if you've decided you'd rather read about that project, you can find that particular...uhm..."epic" right here. (Don't say I didn't warn you about the length.)

This PC is built around an ASUS SP97-V motherboard. For those of you following along at home, the SP97-V board is an interesting mix of the new and old. It's a baby-AT form-factor with support for the good old AT type power connections as well as the then up-and-coming ATX power connector. It uses socket 7 processors and does not have support for the later "Super 7" processors. (Intel's own socket 7 processors never went faster than 266MHz. AMD and others pushed things much further, up to at least 550MHz before the party was finally over. Of course, you couldn't just drop one of those third party processors into most socket 7 systems, you had to have a board that would support it and not Majorly Freak Out at the sight of a then-insanely-fast CPU.)

This ASUS motherboard takes old-fashioned 72-pin SIMMs. The problem with SIMMs is that back in the days of computing when the world was still in black and white, 4, 8, 16 and 32MB of RAM was the in thing. Some lucky people had 64 megabytes of RAM. Few people had any need for much more memory than that, and when they finally did upgrade, the DIMM was the big thing to appear with their new motherboard, processor or even PC. It's not hard to find motherboards that have both types of memory sockets to guard against obsolence for just a little while longer. This board does not, and today, in the name of progress, most software really needs more than the 48MB of installed RAM this system came with. Winking Smiley

The software I planned to use wanted 64MB of installed RAM at a minimum.

Fortunately, some years ago, I knew a guy by the name of Christopher Hutchins who was sitting on a veritable mountain of SIMMs. (Those were his own words.) I can tell you're surprised. Funny thing is, I came to know him in the better days of alt.trucks.chevy when we spent time talking about various and sundry rustbuckets that we'd seen or been working on.

On December 20th, 2004 or so, he sold me two bags worth of 32 megabyte 72-pin EDO SIMMS, tested and guaranteed working for a downright cheap $2 per module. (Try to find it at that price now!) I went through one bag pretty quickly while refurbishing some HP Vectra VA and VL computers. The other one remained unopened until, in 2009, I built my first FreeNAS system and needed more RAM to get it off the ground. I don't know where Mr. Hutchins is today but I'm sure he'd be impressed that it's taken me this long to get through the modules. I am also impressed, because this means two things: my old computer collecting habit isn't totally out of control and I probably won't ever run out of these modules for some time.

Even better, the ASUS SP97-V motherboard supports EDO SIMMs. As proof that my organization system works when people don't perceive it as everything thrown everywhere and in need of "helpful" straightening up, I found the bag of modules right away.

Memory modules

What's more, I even managed to find an old Tandy AT keyboard with the 5-pin "DIN" connector required by this ASUS motherboard. (Yes, it's really that old. However, it does have a PS/2 mouse riser.)

When one has this much good luck, he just can't help but wonder when good old Murphy's law is going to nail him.

You're probably saying "OK, that's nice. So what were you going to DO with that computer?" at this point.

Well...

I don't know how it was that I became aware of it at first, but I wanted to try out this operating system/software package known as m0n0wall (from now on, I'll call it monowall, just because I don't feel like typing the 0s). The already mentioned FreeNAS is based on monowall, but I am pretty sure I knew of it before then.

Every time I say "monowall" I cannot help but think of the Simpson's episode where the monorail came to Springfield. Quit looking at me funny. I doubt that I'm the only person to have a drawn a parallel between the two words, despite their very different meanings. Funny thing is, as I'm writing this passage and getting ready to add a link to a description of that very episode, another Simpson's episode has been selected as the Wikipedia article of the day. Which is really a rather amazing coicincidence...

Monowall requires a 486 or better processor and very little memory in order to work. In other words, it can run on computers that would make this one look like a puppy. What monowall allows you to do is build a very capable firewall with which you may regulate the flow of TCP/IP communications traffic to and from the Internet or at least two different networks. You can always buy little boxes that do this just as soon as you plug them in, but if you're cheap and/or like free stuff, monowall can do the same thing with two network cards and a PC.

In other words, it's just the thing for those who drive their riding lawn mower or tractor to the grocery store because it gets you from point A to point B without the expense of a car! (Sorry. That's a sarcastic remark.)

In all seriousness, even an old computer like this one will frequently have a lot more memory and a more powerful, general purpose CPU that is much more flexible in what it can do as compared to the purpose built ultra low power CPUs found in most routers. It does not take a lot of computing muscle to apply rules that define who may and may not communicate with whom between two networks, although the needed CPU speed will usually increase as the rate of communication goes up.

Many "little routers" and their built in firewalls are quite good, especially those that can run the phenomenal DD-WRT firmware, which I absolutely love. They take up a lot less space than a computer running monowall would, but few of them can route at wire speed on both of their network interfaces.

That's normally fine--you don't always need a lot of processing power to route traffic, as most people's Internet connections have actual data rates much slower than what a private local area network will stand. A lot of the time, you'll get anywhere from a 1 to 12 megabit data rate to the Internet, where a private local area network inside your home can easily communicate at 100 megabits or more. It's when you have lots of clients, lots of firewall rules or more than just a private and public network that you might need more. An old PC can usually do the job nicely and it costs a lot less than heavy-duty networking gear would.

That's not all you can do. Monowall can act as a DHCP server to easily pass out IP addresses to your computers so that they can automatically get a network connection the moment you plug in to the network, and you can even use it in conjunction with another router/firewall device if you want to make a "private" network of computers that are for some reason isolated from the other ones. It can be used to separate invidual computer networks from one another, while imposing an access control policy to regulate the flow of data between the networks. It can also create virtual LANs, something that I've never done, tried to do or even know very much about.

That concept of separation between networks is actually what I wanted to do with this system. As things are now, I do freelance computer consulting, which means that every now and then I have to deal with a computer that is, for want of a better way to put it, "icky", meaning that they are infested with viruses or malware of some kind.

As some forms of ick (viruses, spyware, etc.) are vicious, they'll fling their "ick" onto other clean computers if those computers are on the same private network as the infested one. I've typically prevented this by manually moving cleanup tools to the infested computer disk after hooking it up to a clean computer as a non-boot drive. I've also done scans from the clean computer before and after fixing a mess to be sure it's all gone.

Usually, though, I have to test the cleaned machine to be sure it works properly. And that's where the desire to have a dedicated network where these computers can be put comes in. In the case that there is still something wrong, you won't end up spraying it all over your clean systems. Up until now, I've found ways around this, usually by running a machine back to the customer's house temporarily to test it. That's really not the best way, and it looks unprofessional. Fortunately, it only happens that way rarely. I've gotten very good at the art of removing crapware from PCs, even the very persistent stuff.

Other Hardware and Stuff

(I plan to add a link to a page that talks about the Asus motherboard in greater detail and offers some downloads that those still using such a board might find helpful. Stay tuned!)

Monowall bases itself on the FreeBSD operating system. Not all hardware works well outside of a Windows world, so you do want to be sure that you pick hardware that will operate correctly. Sometimes this is a guessing game...what works in one system won't work in another. Still, there is some hardware that just works like it should no matter what. On that list would be Intel's network adapters. I have boxes of them, all casualties of the mass exodus of networking hardware from an expansion card to a built in motherboard feature. Although this machine came with a Linksys LNE100TX adapter in place, I decided not to even bother with it. The Intel cards work while many others just don't. I can put the Linksys card into the giant mystery NIC box and it will come out eventually for use in another project.

Curiously, with no network cards installed, the monowall operating system detected an "sis" network card. Although even the official documentation for the chipset says nothing about it, I wonder if the SiS 5598 on this motherboard has some vestigial network functions that were under development.

Mainboard

I made some other changes as well. I don't know the provenance of this computer or even how it began life, but it had a curious mix of parts in it. A 10GB hard disk and 52X CD-ROM certainly aren't near the portion of the timeline occupied by this motherboard or even the case. They're also overkill for this job, so out they went. I put into place an old 2GB 4,500 RPM Seagate Medalist hard disk and a 4X CD-ROM. Given that the system only uses the hard disk for booting and the CD-ROM is unlikely to be needed again for some time, there is no need at all to use even remotely bleeding edge parts for this job.

As this was a desktop computer in a previous life, it had a sound card alongside a modem. There were also a few port brackets slotted into the case. Since I don't need them, I disabled all of the ports and removed the other cards. Video comes from the onboard SiS chipset, so there was no separate video card, only a riser that is still in the system and will stay there should I need to have a monitor hooked up for some reason. The only cards in place now are the two Intel 82558 network cards.

Network cards and slot blanks

I found some slot blanks to fill in the holes, just because I'm one of those people who is a little fussy about such things.

Oh, and because I could, I hooked up the dormant front panel speed display. Remember when computer cases always had these? I do! As the display elements are only seven-segments, they can't display many letters. Therefore, the display is intended to read "FW" (for "firewall") and not the somewhat rude "FUU". I had no choice but to split the "W" between the two other positions. It'll do, use your imagination! Getting the readout to work took some blind experimentation. At least the nice folks who built this case had the decency to label the power connector on the display--otherwise something might have gone "foof" when setting this up.

Display "FW"

There are other improvements to be made. When checking to see what sort of processor was on this board, I noticed that there was no heatsink paste at all between the heatsink and CPU. I added some to allow for better heat transfer between the heatsink and CPU--not that I'm sure it was needed.

How Well Does It Work?

I downloaded some files from high bandwidth web sites that I knew could saturate the bandwidth of my Internet connection. I have a twelve-megabit-per-second connection speed, and during off-peak hours I can get pretty close to pulling things down at close to that speed so long as the computer that's doing the sending can keep up. I saw pretty steady transfers of 1.2 megabytes per second. As a ten megabit connection would equal 1.25 megabytes of data transferred at 100% efficiency, that's not bad performance. You'll never quite make it to 100% productive use of your bandwidth (due to unavoidable factors such as control traffic and "background stuff". Clearly this computer can shift data through its mill and between the network cards at a rate fast enough for most people.

I don't know and haven't tried to find out how close to wire speed it will come when shoveling packets between the two network interfaces. I expect that it can probably get pretty close to filling up a 100 megabit line with the hardware currently in use. For the record, the processor is a 233MHz Intel Pentium MMX CPU.

Robustness

Of course, your newly configured monowall could perform very well, but that will not mean anything at all unless it is reliable. I'm pleased to report that it's very reliable under the short term tests that I have made. You can even pull the plug on it at any time with no ill effects whatsoever, as the boot disk is never written to unless you are configuring the firewall itself. With anything else based on a Unix operating system, shutting down your computer by pulling the plug is a good way to win the "my disk is so corrupted that the computer won't even start" award. That won't be a problem here.

The Finished Product

Here's everything back together again and running.

Finished Monowall Box

Now all I have to do is find a place to put it and hook up a network switch so I can plug in other computers when I need to. Then it will truly be complete.

Go Back>

Copyright © 2010 William R. Walsh. All Rights Reserved. Permission is granted to reproduce this material or to use any part of it in other creations, so long as the following terms are met: attribution to this page and its author must be supplied, no part of this page may be displayed along advertising content of any sort, no fee may be assessed to provide access to this information (except as reasonably necessary to cover connection time or printing supply expenses) and no part of this material may be used in creations that are illegal, dangerous or derogatory. Created 04/29/2010, updated 04/30/2010. This page is still a work in progress. Although what is here is believed to be correct, not everything may be completed. Please check back soon.