monline

A few days ago our (I mean the company I work for) Vigor 2200E ADSL router broke down, which means the router still worked, but the traffic coming from the WAN port (aka. from the internet) slowed down almost to a halt. It was unusable. There're two options in this case:

• buy the first ADSL-router you find in a nearby store
• set up a replacement using a PC, so you've time to decide what kind of router/unit you wanna but (reevaluate the business requirements, the costs, etc.)

This article is about the second option: setting up a replacement router fast, using a Knoppix Live CD. Of course the word "fast" stands only if you've a Knoppix CD at hand .

Even if you don't, you can plug the cable of the ADSL modem into a notebook, set up an ADSL connection and download (+burn) the Knoppix image in no time.

I tested the following method with Knoppix v3.6 and v5.1.1, both worked.
I'll assume that your ADSL router was the default gateway in your LAN, thus the replacement router will be configured with the same IP and routing rules as well.

Here's what to do to get an ADSL router up and running:

1. Get an x86-compatible machine with at least two network cards and a CD drive.
2. Shut down the old ADSL router, plug the LAN cable from it into one of the NICs of the new router, and plug the WAN (the cable coming from the ADSL modem) cable from it into the other NIC of the new router. Boot the router from the Knoppix boot CD.
3. After Knoppix is up and running, start a Terminal and become root (eg. using the su command).
4. Start pppoeconfig. You can start it without any parameters and it'll scan all network interfaces looking for an ADSL modem on the other end of the cable. If you specify an interface name for pppoeconfig, then it'll scan only that one interface. After you're finished, a new DSL config is created at /etc/ppp/peers/dsl-provider. Since we'll be using this router as a default gateway on the LAN to reach the internet, I added the replacedefaultroute option too to this config file. You can initiate the ADSL connection with the pon dsl-provider command (this will create a ppp0 interface for you), close the connection with poff and list the connection log with plog.
5. It might happen (especially if you're going to use NAT between your LAN and the internet) that the default MTU (Message Transfer Unit) -which is usually 1492- of your ADSL connection is too large and you'll not be able to access some websites or connect to some TCP services. In this case specifying an MTU of 1412 in /etc/ppp/peers/dsl-provider will fix your problems. You can read more about this in the manpage of pppoe (it contains all the options that you can use in the dsl-provider config file).
6. By default Knoppix configures your network interfaces via DHCP. Since your ADSL-router should have a fixed IP for your LAN, you should change this for the LAN interface. You can do it either with the netcardconfig command or manually in /etc/network/interfaces. You might also set the "IFACE" option in /etc/dhcpc/config to "none", but leaving it as it was should not cause any trouble either. If your static IP for the LAN is eg. 192.168.0.1 and your LAN interface is eth0, then you would have to add something like the following to /etc/network/interfaces:
   
   auto eth0
iface eth0 inet static
        address 192.168.0.1
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
   Do not specify a gateway here, because it'll come from the ADSL connection setup (/etc/ppp/peers/dsl-provider).
   After you've finished the setup of the network interface, pull it down and raise it up again:
   
     ifconfig eth0 down
  ifup eth0
7. You might have to put the DNS servers of your ISP manually into /etc/resolv.conf.
8. Create a firewall script that will set up some basic firewall rules, NAT and enable IP forwarding in the kernel. The following script might do as a start:
   
   #!/bin/sh

export LAN=eth0
export WAN=ppp0

# Reset iptables tables and policies
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# load required modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Unlimited access to local network
iptables -A INPUT -i ${LAN} -j ACCEPT
iptables -A OUTPUT -o ${LAN} -j ACCEPT

# prevent hacked packets
#iptables -A INPUT -s 127.0.0.1 -i ${WAN} -j DROP

# Allow connection tracking to let UDP, DNS and Passive FTP work
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ! ${WAN} -m state --state NEW -j ACCEPT

# set up nat
iptables -A FORWARD -i ${LAN} -o ${WAN} -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -i ${WAN} -o ${LAN} -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -j DROP

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# drop everything else (this is not absolutely necessary here,
# since the default policy for the INPUT table was DROP anyway)
iptables -A INPUT -j DROP

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
   
   The script assumes that eth0 is the LAN interface, eth1 is the WAN interface and ppp0 is the ADSL-interface. It allows all outgoing connections and drops all incoming connections, thus protecting your NAT from external attacks. Of course this is just a stub, you should fine-tune the rules for your needs.

The advantage of this approach is that you can set up a linux router in a few minutes and you can use almost any standard PC that has two NICs. Since Knoppix is a Live CD, it does not touch your hard drive, so your already installed OS is safe and can be used again simply by rebooting the PC without Knoppix in the CD drive.

PS: you can minimize the downtime of "the" router by keeping the old ADSL-router online, setting up the linux router without connecting it to the LAN, then simply pull the cables from the old router and plug them into the new one, execute the pon dsl-router command and the firewall script.