adminguy
/
Teardowns_2020
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14 Commits
1 Branch
269 MiB
 
 
 
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Teardowns_2020/soekris_engineering_net4801-60/resources/soekris.html

193 lines
7.6 KiB
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml111/DTD/xhtml111.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Soekris Router Project</title>
<link rel="stylesheet" href="style.css"/>
</head>
<body>
<p>
This document no longer reflects my configuration, but rather
than delete possibly useful information, I've made notes of my
changes on a new <a href="errata.html">errata</a> page.
</p>
<h1>Introduction</h1>
<p>
Typically there are two choices when setting up a small network:
buy consumer grade commercial hardware, or find an old machine
and install unix. A small wireless router and firewall from <a href="https://www.netgear.com"> NetGear</a> or <a href="https://www.linksys.com">Linksys</a> could hardly be easier
to install and has many pretty <a
href="http://www.brabandt.de/html/blinken_lights.html">blinken
lights</a>. It isn't very flexible though, often two or more
different boxes are needed, upgrading means buying another one,
and some "enterprise" features are plain not available at the
low end. On the other hand, a full fledged computer makes a lot
of noise and has many moving parts to fail.
</p>
<p>
The solution: create a custom network device running on silent
hardware designed for embedded systems. Select the best
hardware and software available to create a device
unparalleled by anything in the commercial marketplace.
</p>
<ol>
<li>Stateful packet filtering with NAT</li>
<li>High power 802.11b wireless access point</li>
<li>Routing</li>
<li>Network services (DHCP, NTP, SSH, caching DNS)</li>
<li>IPsec endpoint</li>
<li>Upgradable (802.11g, IPv6, etc)</li>
</ol>
<p>
The real selling point however is that this network device will
be running a full unix operating system, which provides nearly
infinite flexibility. All aspects of operation can be fine
tuned, comprehensive monitoring is possible, and arbitrary
programs may be installed.
</p>
<h1>The Platform</h1>
<p>
<a href="https://www.soekris.com">Soekris Engineering</a>
produces an excellent line of tiny, x86 compatible,
embedded computers complete with cases. So first on the list, one <a href="https://www.soekris.com/net4521.htm">net4521</a> which has
the following key specifications:
</p>
<ul>
<li>AMD <a href="https://www.amd.com/epd/processors/4.32bitcont/14.lan5xxfam/24.lansc520/">Elan SC520</a> 486 class 133mhz CPU, 64 megs of RAM</li>
<li>Two 10/100 megabit ethernet ports</li>
<li>Two PCMCIA/PCCard/CardBus slots</li>
<li>One Mini-PCI slot, filled with a
<a href="https://www.soekris.com/vpn1201.htm">vpn1211</a> hardware crypto board</li>
<li>A CompactFlash card slot for permanent storage of the system software</li>
</ul>
<p>
The Soekris boards support all the free *BSD variants, Linux,
and probably anything else that runs on standard PC compatible
hardware. Soekris has quite a following amongst the wireless
networking community, and so has a lively <a
href="http://lists.soekris.com/mailman/listinfo/soekris-tech">mailing
list</a> with volumes of information about how to get everything
working.
</p>
<h1>The Wireless Card</h1>
<p>
Next is an 802.11b wireless card. Many aren't capable of acting
as an access point, and some aren't even supported under open
source operating systems. Fortunately there is a wonderful
chipset called Prism from <a
href="http://www.intersil.com">Intersil</a> that is very well
supported under *BSD and Linux, and it supports an access point
mode.
</p>
<p>
One of the people on the Soekris mailing list happens to have a
company named <a href="https://www.netgate.com">NetGate</a>, and
this company just happens to ship a <a href="https://www.netgate.com/EL2511.html"> 802.11b PC-Card</a>
based on the Prism 2.5 chipset which puts out 200mw with
excellent sensitivity ratings. Not only that but they sell <a href="https://www.netgate.com/kits.html">kits</a> which include:
</p>
<ul>
<li>The card itself</li>
<li>A "pigtail" which connects the card to a connector on the outside of
the Soekris case</li>
<li>An antenna which greatly increases the range</li>
</ul>
<p>Great stuff!</p>
<h1>The Operating System</h1>
<p>
Choosing the right network operating system may be the toughest
task. Linux and the *BSDs (FreeBSD, NetBSD, OpenBSD) will all
run on this hardware, as will other non-free operating systems
which I gave no thought to. The <a
href="http://hostap.epitest.fi">HostAP</a> driver and software
are what allow a Prism based 802.11b card to act as an access
point. Apparently this was written for Linux but it is
available on BSD too.
</p>
<p>
<a href="https://www.openbsd.org">OpenBSD</a> has a hard won
reputation for security, stability, and everything else I am
looking for. It was the natural choice, and many other people
on the Soekris mailing list have discovered the same thing.
There is even a project called <a
href="http://opensoekris.sourceforge.net">OpenSoekris</a> which
will help set up a Soekris based system from an existing OpenBSD
install.
</p>
<p>Some of the key features of OpenBSD are:</p>
<ul>
<li>A great <a href="https://www.openbsd.org/faq/faq6.html#PF">packet filter</a>
with which to make a firewall and NAT engine</li>
<li>An <a href="https://www.openbsd.org/faq/faq13.html">IPsec</a> engine</li>
<li>Plus hardened services like a DNS server</li>
</ul>
<h1>Security</h1>
<p>
Sure WEP can be cracked, so can a copper cable network, it just
requires more intrusive physical access. Even more intrusive is
tapping into fiberoptic cables, but that too is possible. Real
security requires top strength crypto and a great solution
is <a href="https://www.ietf.org/html.charters/ipsec-charter.html">IPsec</a>.
</p>
<p>
IPsec, via the ISAKMP protocol, can handle client authentication
via passphrases or x.509 certificates. No need to worry about
802.1x or proprietary enhancements to WEP. IPsec is extremely
strong and isn't tied to wireless networks. So, the security
portion of the plan is:
</p>
<ol>
<li>Deny all access from the internet interface</li>
<li>Allow all local clients access to DHCP and ISAKMP</li>
<li>Deny all other unencrypted communications to wireless clients</li>
<li>Allow IPsec traffic from authenticated wireless clients</li>
<li>Allow local administration via SSH</li>
</ol>
<h1>Sections</h1>
<p>The project is divided into the following sections:</p>
<ol>
<li>Introduction</li>
<li><a href="openbsd.html">OpenBSD Configuration</a></li>
<li><a href="diskless.html">Diskless Booting</a></li>
<li><a href="cf-install.html">CompactFlash Installation</a></li>
</ol>
<p>There are also client configuration how-tos:</p>
<ol>
<li><a href="macosx-ipsec.html">Mac OS X IPSec</a></li>
</ol>
<p>
<a class="section" href="openbsd.html">
Next: OpenBSD Configuration &gt;&gt;</a>
</p>
<p><img alt="email address" src="contact.png"/></p>
</body>
</html>